Cryptography-Digest Digest #378, Volume #14 Fri, 18 May 01 06:13:01 EDT
Contents:
Re: Comparing two encrypted numbers ("Ned Takahashi")
Re: Evidence Eliminator works great. Beware anybody who claims it (Eric Lee Green)
Re: taking your PC in for repair? WARNING: What will they find? (Eric Lee Green)
Re: Comparing two encrypted numbers (Paul Rubin)
Re: PRNG question from newbie (Stefan Lucks)
Re: A simple encryption algorithm based on OTP (wtshaw)
Re: new cipher (Stefan Lucks)
Re: Questionable security measures (CIC and Cloakware!) (wtshaw)
Crypto analysis software ("Hans Bergelind")
Generate 256 bit prime numbers from passphrase ("Mr. Nice Guy")
Re: Generate 256 bit prime numbers from passphrase (Paul Rubin)
Re: Crypto analysis software ("Tom St Denis")
Re: Questionable security measures (CIC and Cloakware!) (Mok-Kong Shen)
Re: Help working through RSA example in Applied Cryptography 2nd edition p. 468
("Tom St Denis")
Re: A simple encryption algorithm based on OTP (Mok-Kong Shen)
Re: Questionable security measures (CIC and Cloakware!) ("Tom St Denis")
TC15a analysis ("Tom St Denis")
Re: Questionable security measures (CIC and Cloakware!) ("Tom St Denis")
Re: Choosing algorithms (Mark Wooding)
Re: Comparing two encrypted numbers (Mark Wooding)
Re: Choosing algorithms ("Tom St Denis")
Re: Help working through RSA example in Applied Cryptography 2nd edition p. 468
(Mark Wooding)
Re: Help working through RSA example in Applied Cryptography 2nd edition p. 468
("Tom St Denis")
papers galore ("Tom St Denis")
Re: Crypto analysis software ("Hans Bergelind")
----------------------------------------------------------------------------
From: "Ned Takahashi" <[EMAIL PROTECTED]>
Subject: Re: Comparing two encrypted numbers
Date: Fri, 18 May 2001 04:25:27 GMT
"Martin Schweitzer" <[EMAIL PROTECTED]> skrev i meddelandet
news:3b044f52$[EMAIL PROTECTED]...
> Is anyone aware of a technique that allows two encrypted numbers to be
> compared without decryping them? I am told that there was a paper
presented
> at RSA 2000 which mentions this, but I cannot find any reference to that
> paper.
>
> Thanks.
>
Straight public key cryptography may be used
E(Public_key, number) = E(Public_key, test_number) when they are equal
But this cipher is only as secure as the numberspace is long times the speed
of public encryption, which may be less than breaking the private key, so
compensation may be needed (multiple encryption?).
If one has an oracle that knows if an encrypted number is greater or lower
than another, then one can guess in logarithmic time of the number space
using binary search. However, the oracle might require a lot of time, but
with practical numberspaces it will have to be too slow for longer term
secrecy.
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Evidence Eliminator works great. Beware anybody who claims it
Date: Fri, 18 May 2001 04:32:44 GMT
Nomen Nescio wrote:
> My impression of EE is that it's a serious product, at least it was
> discussed seriously when it first came out; but when I went to their
> website it opened about 8 pop-up windows - talk about bottom-feeding
> web-sites; they spam newsgroups, and do it in an angry, aggressive
> sort of way, and they charge a ridiculously high price for EE.
>
> It's almost as if the EE people want to destroy any chance they have
> to sell the product. Maybe they are trying to kill the business in
> some clever attempt at tax avoidance.
Puzzling. While I poke fun at the boys from time to time, in reality I
feel sorry for them. They remind me of the kind of arrogant know-it-all
jerk that I was when I was their age (I still have a hard time believing
that they're 28 and 30 like their incorporation papers say -- surely
they padded their ages by 10 years).
On the other hand, at least I had the sense to listen when one of my
customers told me I shouldn't diss my competitors on my BBS and in my
manual. Maybe I shouldn't feel sorry for them. Arrogant know-it-all
people tend to bring their own troubles upon themselves. These are some
guys who would benefit greatly from a Dale Carnegie course or just a
close and thoughtful read of "How to win friends and influence people".
While I personally disapprove of "self help" books of that sort and the
cult of superficiality that has arisen around them, having had to learn
most of the lessons of that book via the school of hard knocks has led
me to believe that there's some good sense in much of what he says, such
as "Let the other person do a great deal of the talking". I've been in
some pretty hairy design meetings, one where each of the people involved
had their own idea of what the design should look like, and the lessons
learned through the school of hard knocks about listening, asking
questions, etc. that you get through HTWFAIF are invaluable for
surviving. I have another technique that wasn't mentioned in the summary
that also works well in that situation, which is to repeat the person's
idea back to him in the form of a question ("Okay, so you want to do
this, and this, and this?"). That lets him know that you heard him and
understand his concerns. Then you have more power to say "But I think
part A is too complicated and we don't have enough time in the schedule
for part B, could we simplify the task by doing this and this and
this?".
It's all communication skills, and it's all learnable -- god knows I had
to learn them, the hard way, because by nature I'm pure computer geek. I
just hope that some day these kids (darn, I keep thinking of them as
kids, even though they aren't) reach a level of wisdom where they
realize that their current behavior is self-destructive and setting
themselves up for failure, and where they are motivated to change their
behavior and learn more productive ways of communicating. While
screaming "fuck off and die!" might be emotionally rewarding and in the
best tradition of British punk rock all the way back to the Sex Pistols,
it usually isn't very productive (at least if you're in the computer biz
instead of the punk attitude biz).
--
Eric Lee Green mailto:[EMAIL PROTECTED]
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: taking your PC in for repair? WARNING: What will they find?
Date: Fri, 18 May 2001 04:46:55 GMT
LMB wrote:
> On Thu, 17 May 2001 13:32:53 -0400, P.Dulles <*@*.com> wrote:
> >Let's try to be fair. They aren't, this just further substantiates and
> >strengthens our argument.
>
> Oh, I'll be fair, very fair. What I will do is to NEVER buy a product
> from any company that resorts to SPAM in an attempt to sell their
> product. Since EE is a major spammer I will never buy their product.
> We should stop this needless arguing and each of us simply send the
> message to the writers of EE that their SPAM has resulted in creating
> a non buyer for them. THAT is the effective message.
I'm not sure how effective that message is though. One of my prior
employers had very amateurish marketing materials. They were black and
white scare tactic ads similar to Evidence Eliminator's. I remember
seeing these ads before working for them and thinking "gosh, what a
bunch of maroons" and going about my business. But the company did
manage to stay in business with those ads. I asked the company
president, many years later (when it clicked that this was the same
company), about those terrible ads. His reply was that hey, they worked,
they kept the company in business for several years didn't they? Of
course, he did not see all the business that he lost from the immature
and unprofessional ads. All he saw was the business that he won that
way, which was less than it would have been with professional ads but he
couldn't see that.
I suspect that the EE people are saying the same thing to themselves,
and ironically screwing themselves out of major $$$ because this is
ruining their reputation for years. I remember what a guy at a major
computer company told me about that former employer's product, "we'll
never deal with them again, because we dealt with them years ago and
they were arrogant and unprofessional and sold us a bill of goods." Even
though the company was now under different management and operated in a
professional manner, those bad feelings persisted 10 years after the
deed had been done.
--
Eric Lee Green mailto:[EMAIL PROTECTED]
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Comparing two encrypted numbers
Date: 17 May 2001 21:48:02 -0700
"Martin Schweitzer" <[EMAIL PROTECTED]> writes:
> Is anyone aware of a technique that allows two encrypted numbers to be
> compared without decryping them? I am told that there was a paper presented
> at RSA 2000 which mentions this, but I cannot find any reference to that
> paper.
Generally one tries to choose encryption algorithms that prevent this.
------------------------------
From: Stefan Lucks <[EMAIL PROTECTED]>
Subject: Re: PRNG question from newbie
Date: Fri, 18 May 2001 08:03:50 +0200
> > What would you call a primitive whose goal is to behave like a random
> > oracle?
>
> A pseudorandom oracle?
That would be a good name. However, one can prove that pseudorandom
oracles don't exist. As was shown by Canetti, Goldreich and Halievie ("The
Random Oracle Method Revisited", 13th SToC, 1998) constructions exist
which are provably secure in the random oracle model but insecure for
every instantiation of the random oracle by a well-defined function.
This does IMHO not mean that random oracles are useless. A proof of
security in the random oracle shows that an attack to break the scheme
cannot be a "black box attack" (except when it breaks some underlying
cryptograhic assumption, such as "factoring is hard). A "black box attack"
treats some cryptographic function (e.g. a hash function) like a black
box, not making use of its internal representation. However, a proof of
security in the black box model is not an unconditional guarantee that the
scheme is secure if all cryptographic assumptions hold, as you usually
would expect from a proof of security. (I think there was some discussion
on this topic in sci.crypt some months ago, where Halievie (sp?)
participated.)
> Actually, what's slightly more interesting would be the security conditions
> such an object would attempt to meet. Here's a first cut:
>
> - A function PRO is a "pseudorandom oracle" if, given a test string X, a
> balanced boolean function B, and an oracle that returns the output PRO(Y)
> for any Y!=X, it is computationally infeasible for the attacker to guess the
> value of B(PRO(X)) with probability 0.5+epsilon.
>
> I'm not happy with it -- it assumes that the attacker isn't given a
> description of PRO (otherwise he can compute PRO(X) directly). Anybody have
> a better definition?
That is ecactly the point why pseudorandom oracles don't exist:
The basic idea in the Canetti, Goldreich and Halievi paper is to set
XXX := "some description of PRO (e.g. a program to compute PRO)" and to
let something strange happen if PRO(XXX) is evaluated. A true
(theoretical) random oracle does not have such a description, but every
pseudorandom oracle has ...
--
Stefan Lucks Th. Informatik, Univ. Mannheim, 68131 Mannheim, Germany
e-mail: [EMAIL PROTECTED]
home: http://th.informatik.uni-mannheim.de/people/lucks/
====== I love the smell of Cryptanalysis in the morning! ======
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: A simple encryption algorithm based on OTP
Date: Thu, 17 May 2001 23:48:59 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> I think the key is part of the algorithm. key+algorithm is "the information"
> needed to decrypt, and having different keys just means to be able to replace
> one specific piece of "the information". so one algorithm plus its keyspace
> is equivalent to as many fixed algorithms as the keyspace is big. ;-)
> exchanging either key or algorithm means the same.
An actual run time key may be quite different from what is remembered as
the key. All methods to create run time keys from other strings are
separate from the encryption algorithm, and open to considerable
variation.
>
> Both has to be agreed on by both sides and both just means using different
> decoding information.
>
> So does "security by obscurity" just mean using a weak encryption in form
> of a weak fixed key algorithm?
>
An algorithm can be both obscure and innately strong.
--
George W. Bush is the weakest link...guh bye.
------------------------------
From: Stefan Lucks <[EMAIL PROTECTED]>
Subject: Re: new cipher
Date: Fri, 18 May 2001 08:16:04 +0200
Magenta has been presented at some international conference years before
the AES started.
This was pointed out by a representative of Deutsche Telekom AG in a
letter to the editor to the German journal "Datenschutz und
Datensicherheit" as a response to an article of mine on the AES
competition (jointly with Ruediger Weis). (I did never bother to verify
this.) I don't remember the name of the conference, but I guess it has
been a very minor conference, and no cryptographer or cryptanalyst ever
did care to look at Magenta. Otherwise. I am sure they would have broken
Magenta immediately.
On 17 May 2001, jlcooke wrote:
> Ahh, right. NT != DT. However, the presenter mentioned in the
> presentation at the AES that DT had been using Magenta in commercial
> products for years as a trade secret. So I guess as you say, "years and
> years" isn't accurate since the public didn't get to review it ... seems
> to have been a bad move on their part.
>
> Paul Crowley wrote:
> >
> > No, Magenta was Deutsche Telekom, this is Mitsubishi and NTT. Also I
> > believe Magenta was devised for the AES, so "years and years" is an
> > exaggeration. Camellia is based on the E2 AES submission, which was
> > one of the stronger candidates.
--
Stefan Lucks Th. Informatik, Univ. Mannheim, 68131 Mannheim, Germany
e-mail: [EMAIL PROTECTED]
home: http://th.informatik.uni-mannheim.de/people/lucks/
====== I love the smell of Cryptanalysis in the morning! ======
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Thu, 17 May 2001 23:56:31 -0600
In article <yq_M6.50912$[EMAIL PROTECTED]>, "Paul
Pires" <[EMAIL PROTECTED]> wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:CWXM6.120842$[EMAIL PROTECTED]...
> >
> >
> > I wish more people would speak up when their company does silly things.
>
> There weren't any gray crayons in your box when you were growing up,
> where there?
>
He could always get a job with NSA and keep US informed. ;)
--
George W. Bush is the weakest link...guh bye.
------------------------------
From: "Hans Bergelind" <[EMAIL PROTECTED]>
Subject: Crypto analysis software
Date: Fri, 18 May 2001 09:04:10 +0200
Hi all!
I'm look for a software that can analys ciphertexts and help me out with
breaking them (the ciphers, that is :)
I think it's overkill to make my own and it would take a to much time.
Thanx in advance!
------------------------------
From: "Mr. Nice Guy" <[EMAIL PROTECTED]>
Subject: Generate 256 bit prime numbers from passphrase
Date: Fri, 18 May 2001 15:13:06 +0700
Hi,
How can I generate two 256 bit prime numbers (P & Q of RSA) from a provided
passphrase? Is there a standard algorithm to do that? Thanks in advance.
Regards,
Erwin
============================================================================
--
Don't work hard for a living, work smart for a lifestyle!
Don't do less than what you are capable of - work smart!
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Generate 256 bit prime numbers from passphrase
Date: 18 May 2001 01:27:45 -0700
"Mr. Nice Guy" <[EMAIL PROTECTED]> writes:
> How can I generate two 256 bit prime numbers (P & Q of RSA) from a provided
> passphrase? Is there a standard algorithm to do that? Thanks in advance.
You can come up with an algorithm for this pretty easily (hash the
passphrase into two 256-bit numbers and search for the closest prime
to each of them), but if you want to generate keys from passphrase,
RSA probably isn't what you want. The key generation will be awfully
slow, and at 512 bits for the modulus, security won't be so good.
Better to use EC or a discrete-log scheme.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Crypto analysis software
Date: Fri, 18 May 2001 08:35:44 GMT
"Hans Bergelind" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi all!
>
> I'm look for a software that can analys ciphertexts and help me out with
> breaking them (the ciphers, that is :)
> I think it's overkill to make my own and it would take a to much time.
>
> Thanx in advance!
What ciphers do you want to break?
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Fri, 18 May 2001 10:34:06 +0200
Tom St Denis wrote:
>
> I wish more people would speak up when their company does silly things.
Maybe your employer is exceptionally liberal but most
are not liberal for being scolded publically (whether
for good reasons or not) by their employees according to
my knowledge. (Show your post to your superior, if you
are not convinced.)
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Help working through RSA example in Applied Cryptography 2nd edition p.
468
Date: Fri, 18 May 2001 08:38:48 GMT
"Darren New" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> > The idea is if I write something like k * y^-1 * g^x (mod p) it's easier
to
> > note this is all mod p instead of writting k mod p * (y mod p)^-1 * (g
mod
> > p)^x mod p.
>
> Actually, in math (as opposed to computers) it's more like "mod p" is a
> data type than it is an operation. All the values and all the operations
> (such as exponentiation) are interpreted differently.
Actually in computers much like in math "mod p" defines a finite field if p
is prime, and a finite ring if p is composite. For example Z7 is a field
since it contains all the required properties just like Q (rationals).
> It's like saying "x/y as an integer operation" vs "x/y as a float
> operation" in programming.
No it's like saying "x/y mod p" is a field/ring operation just like in math.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A simple encryption algorithm based on OTP
Date: Fri, 18 May 2001 10:54:43 +0200
wtshaw wrote:
>
> An algorithm can be both obscure and innately strong.
Using secret algorithms has the well-known objections.
But there are quite a number of apparently not too bad
public algorithms around. Using them in some key-dependent
ways could mean real trouble for the opponent. Note the
combinatorial explosion of choices for e.g. multiple
encryptions, when a number of alternative algorithms
(maybe also with parameters) are available.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Fri, 18 May 2001 09:10:51 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > I wish more people would speak up when their company does silly things.
>
> Maybe your employer is exceptionally liberal but most
> are not liberal for being scolded publically (whether
> for good reasons or not) by their employees according to
> my knowledge. (Show your post to your superior, if you
> are not convinced.)
afaik my employer reads sci.crypt.
I don't want to bad mouth my company but I think it's shameful that they
employ this "shhh it's secure because we say so" tatics. I think (not sure)
I was hired todo cryptanalysis of their ideas etc (like a lab assistant of
sorts) this is kinda of counterproductive.
Also I can't get canned for this since I haven't violated my NDA and it's
not like what I am saying is a lie. If people fear the truth then what's
the point? Just make your product ship it out and hope the # people you
kill equals the # of people who complain and happen to be the same...
Ironically if the signature stuff is bad (I dunno so I can't say one way or
the other) the only people to get zinged are these "m-business corportate
meat heads" anyways so it's like a bit of their own medicine... hehehe
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: TC15a analysis
Date: Fri, 18 May 2001 09:19:55 GMT
So far I haven't found any good differentials in TC15a (source on my
website) so in an eight round copy the outline of the analysis is this
1. We need 64 active sboxes by round five
2. We can get through the first two rounds with under 24 active sboxes
rather easily.
3. Round three and four typically have 28+ active sboxes in all
differentials I tried
This totals to 24 + 2*28 = 80 active sboxes. At eight rounds the cipher
runs at 162 cycles per block, at 12 rounds the cipher runs at about 250
cycles per block. One thing that makes the differentials so hard is that
the a carries can create a new active sbox and also unlike Noekeon my LT
doesn't cancel out new differneces...
a = ROTL(a, 1);
b = ROTL(b, 9);
c = ROTL(c, 17);
temp = (c*3) + (d*9);
a += temp;
b -= temp;
temp = (a*3) + (b*9);
c += temp;
d -= temp;
We see by the second "temp = (a*3) + ..." that the first "temp" will
evaluate to -6 * temp which losses a bit but at least is not zero. Also the
reason I picked 3 and 9 is that on an x86 you can mult by these in a single
clock cycle. I believe if I am not mistaken that even Alphas have special
+- 2^k multipliers upto k=3 don't they?
ASM source and C source both on my website
http://tomstdenis.home.dhs.org/tc15a_asm.zip
http://tomstdenis.home.dhs.org/tc15a.c
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Fri, 18 May 2001 09:32:04 GMT
"wtshaw" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <yq_M6.50912$[EMAIL PROTECTED]>, "Paul
> Pires" <[EMAIL PROTECTED]> wrote:
>
> > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:CWXM6.120842$[EMAIL PROTECTED]...
> > >
> > >
> > > I wish more people would speak up when their company does silly
things.
> >
> > There weren't any gray crayons in your box when you were growing up,
> > where there?
> >
> He could always get a job with NSA and keep US informed. ;)
Ok guys thanks for belittleing me here... Just because I openly say "bad
crypto bad" I'm now a traitor?
Tom
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Choosing algorithms
Date: 18 May 2001 09:33:15 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
> Actually, these questions raised an awkward problem. I don't actually
> have a hash algorithm with a 256-bit output that I really trust.
> Sigh.
Here's an idea I came up with yesterday and thought about overnight.
Let H and H' be hash functions. Define F(x) = H(x || H'(x)). Then:
* F is negligibly harder to compute than both H and H'
simultaneously. In particular, F can be computed incrementally.
* F is /no less secure/ than H[1]. For example, if F(x) = F(y) then
H(x || H'(x)) = H(y || H'(Y)), i.e., collisions in F are collisions
in H. Similar arguments apply to preimages and second preimages.
* F stands a good chance of being stronger than H if H is `a bit
weak', but H' isn't. If H is really bad then we just lose. I can't
see a way around that.
Has this technique appeared anywhere else? If not, I propose naming it
`hash reinforcement'. And I solve my dilemma with untrustworthy wide
hash functions by using F(x) = SHA256(x || RMD160(x)).
[1] In all of the security models I've thought about so far.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Comparing two encrypted numbers
Date: 18 May 2001 09:35:53 GMT
Martin Schweitzer <[EMAIL PROTECTED]> wrote:
> Is anyone aware of a technique that allows two encrypted numbers to be
> compared without decryping them? I am told that there was a paper presented
> at RSA 2000 which mentions this, but I cannot find any reference to that
> paper.
`A cost-efficient pay-per-multiplication solution for millionaires', I
think. I can't remember the author, and I've not received the
conference proceedings yet.
-- [mdw]
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Choosing algorithms
Date: Fri, 18 May 2001 09:40:33 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Mark Wooding <[EMAIL PROTECTED]> wrote:
>
> > Actually, these questions raised an awkward problem. I don't actually
> > have a hash algorithm with a 256-bit output that I really trust.
> > Sigh.
>
> Here's an idea I came up with yesterday and thought about overnight.
>
> Let H and H' be hash functions. Define F(x) = H(x || H'(x)). Then:
>
> * F is negligibly harder to compute than both H and H'
> simultaneously. In particular, F can be computed incrementally.
>
> * F is /no less secure/ than H[1]. For example, if F(x) = F(y) then
> H(x || H'(x)) = H(y || H'(Y)), i.e., collisions in F are collisions
> in H. Similar arguments apply to preimages and second preimages.
>
> * F stands a good chance of being stronger than H if H is `a bit
> weak', but H' isn't. If H is really bad then we just lose. I can't
> see a way around that.
>
> Has this technique appeared anywhere else? If not, I propose naming it
> `hash reinforcement'. And I solve my dilemma with untrustworthy wide
> hash functions by using F(x) = SHA256(x || RMD160(x)).
While this is neat you haven't solved anything. The original problem is "is
H better than H', or vice versa... oh I don't know... I will use BOTH!" but
in this case you still don't know and if it turns out H is horrible then the
entire construction fails.
Wouldn't a better approach be
F(x) = H(x) xor H'(x)
That way if H is horrible H' can take up the slack (shannon principles come
in here) and vice versa. The only big problem is if H and H' are not
distant enough (i.e they output similar values) then F(x) will have alot of
zero bits more than one bits. I think vastly incompatible algorithms like
SHA1 and Tiger/160 could be useful here.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Help working through RSA example in Applied Cryptography 2nd edition p.
468
Date: 18 May 2001 09:41:53 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> Actually in computers much like in math "mod p" defines a finite field
> if p is prime, and a finite ring if p is composite. For example Z7 is
> a field since it contains all the required properties just like Q
> (rationals).
Actually, if we're going to throw the whole ring/field stuff at this,
then we'll just say somewhere that we're talking about elements of Z/nZ
somewhere and not bother with all of the (mod n) annotations (or writing
elements as x + nZ or anything else tedious like that).
-- [mdw]
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Help working through RSA example in Applied Cryptography 2nd edition p.
468
Date: Fri, 18 May 2001 09:45:39 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> > Actually in computers much like in math "mod p" defines a finite field
> > if p is prime, and a finite ring if p is composite. For example Z7 is
> > a field since it contains all the required properties just like Q
> > (rationals).
>
> Actually, if we're going to throw the whole ring/field stuff at this,
> then we'll just say somewhere that we're talking about elements of Z/nZ
> somewhere and not bother with all of the (mod n) annotations (or writing
> elements as x + nZ or anything else tedious like that).
True. However it's very simple just to put (mod n) at the end of all your
equations to make sure everyone is on the same wavelength... no need to
re-define all the math operators for this field since the average joe will
know.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: papers galore
Date: Fri, 18 May 2001 09:48:14 GMT
I put my collection of papers on the FTP site... most papers have really
horrible names like BELLA~4.ps since I stole them from Schneiers list of
papers (all-authors.html). I renamed about 10% of the papers I downloaded
and my original collection (back about 1yr ago) is there too (with real
names).
I will work on renaming the files slowly.. (takes a while since I have to
open em, copy the title then rename it)
ftp 24.112.8.23, port number 2121, user/pass = scicrypt/scicrypt
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Hans Bergelind" <[EMAIL PROTECTED]>
Subject: Re: Crypto analysis software
Date: Fri, 18 May 2001 11:43:39 +0200
Hi Tom and thanx for your time...
I would be really happy to have a tool that could suggest what kind of
cipher might be crypted by. Maybe that's just a to hard to make.
A simpler kind, that helps me to follow up examples while I'm reading
cryptobooks would be a big help. DES and RC5 are ciphers that are a bit more
interesting.
Bye
> > Hi all!
> >
> > I'm look for a software that can analys ciphertexts and help me out with
> > breaking them (the ciphers, that is :)
> > I think it's overkill to make my own and it would take a to much time.
> >
> > Thanx in advance!
>
> What ciphers do you want to break?
>
> Tom
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
