Cryptography-Digest Digest #380, Volume #14 Fri, 18 May 01 11:13:00 EDT
Contents:
Re: OT lethal force; was: ON-topic - UK crime statistics (was Re: Best, Strongest
Algorithm) (SCOTT19U.ZIP_GUY)
Re: Choosing algorithms (Mark Wooding)
Re: Questionable security measures (CIC and Cloakware!) (Niklas Frykholm)
Re: Choosing algorithms ("Tom St Denis")
Re: Questionable security measures (CIC and Cloakware!) (Mok-Kong Shen)
Re: Choosing algorithms (Mark Wooding)
Re: People with x86 cpus (please reply) ("Christian Schwarz")
Re: Crypto analysis software ("Robert Reynard")
Re: PRNG question from newbie (Mark Wooding)
<no subject> ("ritesh_swd")
Help Needed ("ritesh_swd")
Re: Crypto analysis software ("Hans Bergelind")
Re: Randomized cryptosystems (was Re: Are low exponents a problem with RSA?)
("Joseph Ashwood")
Re: Questionable security measures (Cloakware!) (Stanley Chow)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: OT lethal force; was: ON-topic - UK crime statistics (was Re: Best,
Strongest Algorithm)
Date: 18 May 2001 12:21:34 GMT
[EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>
>
>But note that even this principle has exceptions. If you're standing
>there with an empty pistol, it might not hurt to point the thing and
>say ``freeze''. If you do it with conviction, you have a better than
>90% chance of carrying the bluff. (But beware; the average person can't
>carry a bluff.)
>
I can carry a bluff in poker. But its hard to bluff when you
have a 45 long colt and the cylnder is empty. Even an idoit can
tell its empty so you can't bluff with it. Also I have the famous
plastic 22.from Ram line. I have asked various people over the years
if this is a toy. No one who was not familar with it thought it
was other than a toy. I think I could reverse bluff with this one.
If a buglar came in I could point it at him and say back off or I'll
shoot. Then after he walks ups laughingly to take it away you feel
his chest tithe 22 stingers. I think he would stop laughing. Its
a small gun but easy for a woman to handle.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Choosing algorithms
Date: 18 May 2001 12:39:36 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> Also you have to consider that the composition F = H o H'(x) may in fact be
> weaker than either H or H'.
Yes, but fortunately, I'm not using the composition. I suggested
F(x) = H(x || H'(x))
not
F(x) = H(H'(x))
The latter emphatically does not have the security properties I can
prove for the former.
> I noted that (e.g "Vastly different constructions").
If you can come up with some way of putting this in a security proof
then I'll be happy. At the moment, you've just waved hands.
> Let's suppose both H and H' are truly random functions then obviously
> F in my construction (actually lets call my F, F' for simplicty) then
> my F' is provably secure (i.e it's an OTP).
OK, it's true that if H and H' are function families then it's as hard
to distinguish F' (constructed from randomly-chosen members of H and H')
from a random function as it is to distinguish a randomly chosen member
of both H and H'.
But this is (a) a very strong notion of security and (b) not one that's
actually applicable to the analysis of hash functions.
> In a practical sense this is not true. But let's suppose it's a
> finite fixed mapping (i.e 160 bits => 160 bits) where it behaves with
> the properties of SAC etc. Then unless a significant portion of the
> mappings are in union between H and H' my construction should be about
> as strong as the weakest.
That's not a very good property, and hardly one that can be called
`reinforcement'.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Niklas Frykholm)
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Fri, 18 May 2001 10:13:16 +0000 (UTC)
Tom St Denis wrote:
>Cloakware just released a product that uses CIC's signature detection
>algorithms but they won't release the details (I know since I work for
>Cloakware).
>
>This is a shameful crypto-practice and both companies should be a shame of
>themselves.
>
>Reminds me of the RSA SecurID "scandal". It is secure because ... umm ...
>we say so!
I think all serious companies are aware that the best way of knowing whether an
algorithm is secure is by publishing it openly (*and* paying someone to analyze
it --- in general, you should not expect people to do your work for free).
The decision to keep an algorithm secret is not an attempt to achieve "security
by secrecy". Rather, it is based on business concerns. RSA was probably worried
about cheap clones of their tokens. Most biometric companies keep their
algorithms secret -- they don't want their competitors to take advantage of
them.
Sure, patent and copyright law can protect against theft, but the protection
they offer is only limited. For example, the offending company may be located
in a country that doesn't respect patent law. And tracking down and prosecuting
violations can be very expensive.
// Niklas
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Choosing algorithms
Date: Fri, 18 May 2001 12:48:03 GMT
"Mark Wooding" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> > Also you have to consider that the composition F = H o H'(x) may in fact
be
> > weaker than either H or H'.
>
> Yes, but fortunately, I'm not using the composition. I suggested
>
> F(x) = H(x || H'(x))
>
> not
>
> F(x) = H(H'(x))
>
> The latter emphatically does not have the security properties I can
> prove for the former.
>
> > I noted that (e.g "Vastly different constructions").
>
> If you can come up with some way of putting this in a security proof
> then I'll be happy. At the moment, you've just waved hands.
True, but um so have you!
> > Let's suppose both H and H' are truly random functions then obviously
> > F in my construction (actually lets call my F, F' for simplicty) then
> > my F' is provably secure (i.e it's an OTP).
>
> OK, it's true that if H and H' are function families then it's as hard
> to distinguish F' (constructed from randomly-chosen members of H and H')
> from a random function as it is to distinguish a randomly chosen member
> of both H and H'.
>
> But this is (a) a very strong notion of security and (b) not one that's
> actually applicable to the analysis of hash functions.
>
> > In a practical sense this is not true. But let's suppose it's a
> > finite fixed mapping (i.e 160 bits => 160 bits) where it behaves with
> > the properties of SAC etc. Then unless a significant portion of the
> > mappings are in union between H and H' my construction should be about
> > as strong as the weakest.
>
> That's not a very good property, and hardly one that can be called
> `reinforcement'.
My idea is not to make a composite that is stronger but to make one that is
as good as the strongest.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (CIC and Cloakware!)
Date: Fri, 18 May 2001 15:05:09 +0200
Tom St Denis wrote:
>
> I haven't broken any agreement. My contract with Cloakware doesn't say "you
> must speak positive about the company at all times". It may sound corny
> but I really want to be a person (have to be PC nowadays...) of science and
> this sorta of work while it is scientific does not follow any of the
> principles I wish to follow myself. They want to release stuff irregardless
> of how much analysis they have/have not done. By "just cashing a paycheque"
> I am demeaning the whole value of scientific research...
Consciously demolishing a firm's reputation or the like
is definitely a solid ground for discharge. I have no wonder
of your current thinking, since that's probably your very
first job in life. If you thoughts are in conflict with the
policy or moral or the like of a company with which you
have a contract to work and feel uncomfortable and you are
not on the top level of the management of the company, the
only decent and sensible way I am aware of is to voluntarily
quit. A commercial organization is inherently different
from the society of common people at large of democratic
countries, where everybody has a right to express his
free opinions. Thus we can here in the group criticize
export regulations, Wassenaar, RIPA, etc. etc. and that
presumably has contributed somewhat in these matters.
But even a government officer may not, in his official
position, deliberately speak negatively in the public
about what the government has done, except in rather
special cases where he has obtained the permission to
do so from his superior.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Choosing algorithms
Date: 18 May 2001 13:19:01 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> "Mark Wooding" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Tom St Denis <[EMAIL PROTECTED]> wrote:
> >
> > > Also you have to consider that the composition F = H o H'(x) may in fact
> be
> > > weaker than either H or H'.
> >
> > Yes, but fortunately, I'm not using the composition. I suggested
> >
> > F(x) = H(x || H'(x))
> >
> > not
> >
> > F(x) = H(H'(x))
> >
> > The latter emphatically does not have the security properties I can
> > prove for the former.
> >
> > > I noted that (e.g "Vastly different constructions").
> >
> > If you can come up with some way of putting this in a security proof
> > then I'll be happy. At the moment, you've just waved hands.
>
> True, but um so have you!
No. I've /proven/, in a formal way, that my construction is at least as
strong as the outer hash function in a number of ways relevant to the
analysis of hash functions.
Oh, I'll spell it out.
Let's suppose that H and H' are functions from {0, 1}^* -> {0, 1}^l and
{0, 1}^* -> {0, 1}^{l'} respectively. Define F : {0, 1}^* -> {0, 1}^l
by:
F(x) = H(x || H'(x))
Now, I claim that:
* F is no less collision-resistant than H;
* it is no easier to find second preimages in F than in H;
* it is no easier to find a preimage in F than in H.
Proofs:
* Suppose A is a randomized algorithm which returns pairs (x, y) such
that x != y and F(x) = F(y), with some stated resource bounds and
probability of success. Then the algorithm B, defined by:
(x, y) <R- A
return (x || H'(x), y || H'(y))
returns pairs (x', y') such that x' != y' (because x != y and the
output of H' has fixed length) and H(x') = H(y') (by construction of
F); i.e., B has found a collision in H with neglible additional
work, and with the same probability of sucess.
* Suppose A is a randomized algorithm which, given a string x returns
a string y such that x != y and F(x) = F(y), with some stated
resource bounds and probability of success. Then, the algorithm B,
defined by
y <R- A(x' || H'(x'))
return y || H'(y)
when run on input x', returns a y' such that x' != y' and H(x') =
H(y'); i.e., it has found a second preimage with negligible
additional work and with the same probability of success.
* Sigh. Almost there. Suppose A is a randomized algorithm which,
given an l-bit string h returns a string x such that F(x) = h, with
some stated resource bounds and probability of success. Then, the
algorithm B, defined by
x <R- A(h)
return x || H'(x)
when run on input h, returns a string x' such that H(x') = h; i.e.,
it has found a preimage with negligible additional work and
probability of success.
The notation `<R-' is an attempt at an arrow with a little `R' over it,
to denote `random selection from'.
> > > Then unless a significant portion of the mappings are in union
> > > between H and H' my construction should be about as strong as the
> > > weakest.
> >
> > That's not a very good property, and hardly one that can be called
> > `reinforcement'.
>
> My idea is not to make a composite that is stronger but to make one
> that is as good as the strongest.
But that's (a) not what you've claimed, and (b) not what you've
acheived. You've claimed a function which is no weaker than the weaker
of H and H'. Of course, the function H is no weaker than the weaker of
H and H', (as is my F); but my construction comes with a proof (above)
that this is so, whereas yours doesn't (and indeed can be weaker than
either, e.g., if the same hash function is used twice).
As I said, I've satisfied myself that attempting to find a construction
which is stronger than either of the underlying hashes isn't possible in
the general case. I think that F is as good as you'll get. The proof
that it can't possibly make matters worse than a single hash function is
very handy, and the heuristic argument that it might make things quite a
bit better if H turns out to be `a bit crap' is enough to persuade me,
at least, that it deserves the name `reinforcement'.
-- [mdw]
------------------------------
From: "Christian Schwarz" <[EMAIL PROTECTED]>
Subject: Re: People with x86 cpus (please reply)
Date: Fri, 18 May 2001 15:16:35 +0200
pentium mmx: 240 cycles
pentium 3 (no coppermine): 200 cycles
------------------------------
From: "Robert Reynard" <[EMAIL PROTECTED]>
Subject: Re: Crypto analysis software
Date: Fri, 18 May 2001 09:34:48 -0400
Hans,
Go to ==>http://codebreaker.dids.com/Codes.htm to download software that
breaks 'hand ciphers' including an excellent monoalphabetic cipher cracker
by Chris Case.
Also, at ==>http://codebreaker.dids.com/Author.htm there is a list of links
to other sites that provide programs and info on the subject, including John
Savard's site (descriptions of many cipher systems), Joe Peschel's site
(score's of links to various cracker software) and Peter Conrad's site
(PKZIP cracker).
"Hans Bergelind" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi all!
>
> I'm look for a software that can analys ciphertexts and help me out with
> breaking them (the ciphers, that is :)
> I think it's overkill to make my own and it would take a to much time.
>
> Thanx in advance!
>
>
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: PRNG question from newbie
Date: 18 May 2001 13:36:14 GMT
David Wagner <[EMAIL PROTECTED]> wrote:
> Yes, but usually when people say "secure hash function", they
> implicitly assume far more than just one-wayness and
> collision-resistance. So I take "secure hash function" to mean that
> it behaves like a random oracle, with no structure whatsoever.
Unfortunately, no hash function actually does behave like this, and we
use hash functions in circumstances in which keyed function families
won't do the job.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] ("ritesh_swd")
Subject: <no subject>
Date: Fri, 18 May 2001 13:46:00 +0000 (UTC)
This is a multi-part message in MIME format.
=======_NextPart_000_0005_01C0DFAD.E59298E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=======_NextPart_000_0005_01C0DFAD.E59298E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV></BODY></HTML>
=======_NextPart_000_0005_01C0DFAD.E59298E0==
--
Posted from [202.58.164.174]
via Mailgate.ORG Server - http://www.Mailgate.ORG
------------------------------
From: [EMAIL PROTECTED] ("ritesh_swd")
Subject: Help Needed
Date: Fri, 18 May 2001 13:48:56 +0000 (UTC)
This is a multi-part message in MIME format.
=======_NextPart_000_0022_01C0DFCF.9C43FEA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dear Friends:
I am new to Cryptography and would request all you Geeks or NErds in the =
group to help me understand as to how to develop a good password based =
PRNG.I have heard that LCG is a good PRNG.
Kindly cooment.Please mail me the PRNG algorithm and a sample code.
Sincere Regards
Ritesh
=======_NextPart_000_0022_01C0DFCF.9C43FEA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dear Friends:</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I am new to Cryptography and would =
request all you=20
Geeks or NErds in the group to help me understand as to how to develop a =
good=20
password based PRNG.I have heard that LCG is a good PRNG.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Kindly cooment.Please mail me the PRNG =
algorithm=20
and a sample code.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Sincere Regards</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Ritesh</FONT></DIV></BODY></HTML>
=======_NextPart_000_0022_01C0DFCF.9C43FEA0==
--
Posted from [202.58.164.174]
via Mailgate.ORG Server - http://www.Mailgate.ORG
------------------------------
From: "Hans Bergelind" <[EMAIL PROTECTED]>
Subject: Re: Crypto analysis software
Date: Fri, 18 May 2001 15:53:49 +0200
Thank you very much, Sir!
/Hans
"Robert Reynard" <[EMAIL PROTECTED]> wrote in message
news:9e38ev$rqs$[EMAIL PROTECTED]...
> Hans,
>
> Go to ==>http://codebreaker.dids.com/Codes.htm to download software that
> breaks 'hand ciphers' including an excellent monoalphabetic cipher cracker
> by Chris Case.
>
> Also, at ==>http://codebreaker.dids.com/Author.htm there is a list of
links
> to other sites that provide programs and info on the subject, including
John
> Savard's site (descriptions of many cipher systems), Joe Peschel's site
> (score's of links to various cracker software) and Peter Conrad's site
> (PKZIP cracker).
>
> "Hans Bergelind" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Hi all!
> >
> > I'm look for a software that can analys ciphertexts and help me out with
> > breaking them (the ciphers, that is :)
> > I think it's overkill to make my own and it would take a to much time.
> >
> > Thanx in advance!
> >
> >
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Randomized cryptosystems (was Re: Are low exponents a problem with RSA?)
Date: Thu, 10 May 2001 17:04:34 -0700
"David A Molnar" <[EMAIL PROTECTED]> wrote in message
news:9de9ft$f22$[EMAIL PROTECTED]...
> Semantically secure cryptosystems must be randomized (otherwise an
adversary
> can trial encrypt and distinguish). What happens if some, but not all, of
the
> random bits used for a particular message are revealed? in general and for
> specific cases?
In the most general case we can say that it reduces the maximum amount of
work needed, and that it may reduce the work needed to 0. Specific cases
vary widely in the range. For systems that are truly resistant (eg random
padding in encryption), the revealing some of the extra bits means only that
the unknown random bits would also have to be brute-forced. In the case of
OAEP, it means very little if even all the random bits are revealed, in PSS
it actually means nothing (all the bits can be determined anyway).
>
> for instance, if you have a pseudo-OTP and you know half the bits output
by
> the PRNG, you have half the message. can we do better? how much better can
we
> possibly do?
We can do somewhat better, but only to the degree that other values can be
determined by the known values. For example if the data is repeated, and the
first half is known we immediately know the second half. At the other
extreme if each bit is independent (or even if the unknown half has no
dependance on the known half) no more information can be gained. It is
highly dependant on the internal correlation(s) and their strength(s).
Joe
------------------------------
From: Stanley Chow <[EMAIL PROTECTED]>
Subject: Re: Questionable security measures (Cloakware!)
Date: Fri, 18 May 2001 14:59:16 GMT
Tom St Denis wrote:
>
> Cloakware just released a product that uses CIC's signature detection
> algorithms but they won't release the details (I know since I work for
> Cloakware).
Let me clarify the situation, and apollogies for this
misunderstanding.
I am Tom's boss (as least I still am for a while). I hired Tom as
an intern to work on some crypto stuff. We are currently finishing
up a product that we are about to release. It seems this incident
grew out of the fact that I didn't let Tom see the source code
when he asked me.
The product is "Cloakware/Signature" and the first release is for
the Palm platform. Think of it as a secure holder of your private
key. Instead of using a password to unlock the private key, you
need to use biometrics - hand-written signature in this case. For
the security aspect of this product, we have security evaluations
that will be available to customers.
This product is a joint product between Cloakware and our partner
company. Our partner is a leader in the signature recognition
field and has been in business for years. They provide that portion
of the code. Cloakware provides the software security portion.
That code does not belong to Cloakware, and we at Cloakware are
serious about respecting other people's intellectual property.
We do not let people (even other employees let allow interns) see
it just for fun.
Our own technology will be open. There are already 5 patent
applications that are published by PCT. We are slowly putting
more information on our website. Interested parties are welcome
to contact us for further information. Being in the security
business, we fully intend to publish all details for public
inspection. Being a small startup, we are trying to protect
our lead by publishing only after the patents are public.
--
Stanley Chow VP Engineering [EMAIL PROTECTED]
Cloakware Corp (613) 271-9446 x 223
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
