Cryptography-Digest Digest #141
Cryptography-Digest Digest #141, Volume #14 Sat, 14 Apr 01 17:13:01 EDT Contents: Utimaco a Supplier of the German Armed Forces ? (Frank Gerlach) Re: NSA-Endorsed Schools have a Mediocre Internet Presence (Mok-Kong Shen) Re: please comment (Mok-Kong Shen) Re: Graphical representation of a public key (or fingerprint)? ("Michael Schmidt") Re: Graphical representation of a public key (or fingerprint)? ("Matt Timmermans") LFSR Security (Nathan E. Banks [EMAIL PROTECTED]) Re: please comment (Darren New) Re: please comment ("Paul Pires") Re: NSA-Endorsed Schools have a Mediocre Internet Presence (Jim D) Re: NSA-Endorsed Schools have a Mediocre Internet Presence (Jim D) Re: "Good" file encrypt/decrypt utility wanted! (Steve K) Re: Patents for Enigma ?? (Lawrence Kirby) Re: LFSR Security (David Wagner) Re: NSA-Endorsed Schools have a Mediocre Internet Presence ("Douglas A. Gwyn") Re: please comment ("Ryan M. McConahy") Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa) Re: LFSR Security (Nathan E. Banks [EMAIL PROTECTED]) Re: LFSR Security (David Wagner) Re: LFSR Security (Nathan E. Banks [EMAIL PROTECTED]) Re: LFSR Security ("Scott Fluhrer") Re: Would dictionary-based data compression violate DynSub? (Terry Ritter) From: Frank Gerlach [EMAIL PROTECTED] Crossposted-To: hk.comp.software Subject: Utimaco a Supplier of the German Armed Forces ? Date: Sat, 14 Apr 2001 18:14:21 +0200 I have *heard* that Utimaco is a supplier of the GAF. Anything else I have to say ? Maybe "Crypto AG" ? Get yourself a copy of GPG/PGP, but then check the source :-) -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: NSA-Endorsed Schools have a Mediocre Internet Presence Date: Sat, 14 Apr 2001 18:34:22 +0200 Frank Gerlach wrote: [snip] I am attributing this to the dominance of the spooks, who have no real interest in spreading good security. The human society is extremely complex and involved. Look e.g. at the pharma industry. Their 'ideal' would be selling a particular product 'forever', thus saving the often very high investment to find better medicaments. Were it not for the competition, I don't believe that there would have been substantial incentives to conduct RD simply for the benefit of the illed on purely moral grounds, as long as the fiscal balance sheet of the company is excellent. Thus don't be surprised by the phenomenon you described and severely curse them. They are just humans, in fact not unlike most of us in 'principle' (even if you would disagree and protest against this viewpoint), always attempting to find some 'optimum' for themselves (alone). Other examples abound in the arena of politics. BTW, I think that the increased use of new technologies in wireless communications (I recently saw the term SR, software radio, in this connection. Could someone give the exact definition of it?) and the rapid expansion of the total message volume may one day render effective surveillance and intelligence gathering technically infeasible. At that time point, the existence of the agencies would be economically questionable. It could then be the case that these would be dissolved, releasing their scientists to the civilian world, and the knowledge 'gap' between them and the academics, as was mentioned in a previous post in this thread, would then be perfectly closed. Of course, this is yet all utopic. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: please comment Date: Sat, 14 Apr 2001 18:41:09 +0200 Yechuri wrote: I did a disclosure document months ago but I'm hoping it's so common it can't be patented. What do you think ? Paradoxically, the best and only entirely secure way to ensure that something can't be patented (by others) is to try to get a patent on it yourself. M. K. Shen -- From: "Michael Schmidt" [EMAIL PROTECTED] Subject: Re: Graphical representation of a public key (or fingerprint)? Date: Sat, 14 Apr 2001 19:08:03 +0200 "M.S. Bob" [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED]... Michael Schmidt wrote: I'm wondering whether there has been any research conducted on the topic "graphical representation of a public key" or the key's fingerprint. My goal is to authenticate a public key (or better: its fingerprint, like with PGP) securely by creating and comparing its graphical representation with an "original", which is unique enough for every key/fingerprint, yet easy to be processed and compared by the human brain. Visual cryptography http://www.cacr.math.uwaterloo.ca/~dstinson/visual.html http://www.cacr.math.uwaterloo.ca/~dstinson/index.html I thought Ian Goldberg
Cryptography-Digest Digest #141
Cryptography-Digest Digest #141, Volume #13 Sat, 11 Nov 00 12:13:01 EST Contents: Re: Q: Computations in a Galois Field (Mok-Kong Shen) Re: RC6 Question (Mok-Kong Shen) Rotor Machines and Alan Turing the father of modren cryptography ([EMAIL PROTECTED]) Re: voting through pgp (Paul Crowley) Re: voting through pgp (Timothy M. Metzinger) vote buying... (Timothy M. Metzinger) Re: Type 3 Feistel? (John Savard) Re: Why remote electronic voting is a bad idea (was voting through pgp) (Roger Schlafly) Re: Q: Rotor machines (Steve Portly) Re: Rotor Machines and Alan Turing the father of modren cryptography (Mok-Kong Shen) Re: RC6 Question (Tom St Denis) Re: voting through pgp ("John A. Malley") Re: Why remote electronic voting is a bad idea (was voting through pgp) ([EMAIL PROTECTED]) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Q: Computations in a Galois Field Date: Sat, 11 Nov 2000 12:40:08 +0100 Paul Crowley wrote: Mok-Kong Shen wrote: My understanding of the section you mentioned is that both the x to 1/x mapping and the affine transformation are such that they are simple to describe and (apparently by some chance) happen to be very good. The x - 1/x thing is known to be very good; it's not coincidence, it's well known as a bijective S-box strongly resistant to DC and LC. Any affine transformation would preserve these properties; it's not hard to choose a simple one that achieves the few extra properties that the Rijndael designers wanted. Now I understand why you're asking - you want a non-interoperable variant! You could go for choosing a different affine function with the same nice properties, there should be many. I don't think I'd recommend messing with MixColumn, and I'd *definitely* leave ShiftRow alone. Frankly, though, your best bet is probably a simple variant of the key schedule; this will probably allow you to implement your variant on Rijndael hardware. A radically different set of round constants would probably do it. Unless I'm not guessing the purpose of this variant properly? Yes. The variant that almost certainly doesn't affect the strength of the cipher is permuting the round keys which I mentioned in the said thread among other methods of modifying the keyscheduling. The next fairly safe variant is in my view modification of the affine transformation (though one probably has to test a little bit to be sure to capture its effect on diffusion properties). I remain personally optimistic though that the other variants suggested could also prove to be viable in practice for achieving (where realizable) non-interoperability which renders the opponent's job more difficult in a very general and essential manner. M. K. Shen http://home.t-online.de/home/mok-kong.shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: RC6 Question Date: Sat, 11 Nov 2000 12:52:09 +0100 Vinchenzo wrote: In the RC6 specification one of the basics operations is defined as: "ab rotate the w-bit word a to the left by the amount given by the least significant log2(w) bits of b." What does that mean...anybody has already implemented this algorithm? Please help me! You probably have to query the authors of RC6 why they choose the least significant bits of b instead of other bits. A possible reason is that these bits are or are considered to be more random. log2(2) should be clear, since there is no sense to rotate e.g. a 32-bit word by more than 31 bits and 5 bits provide that amount for rotation. RC6 implementation is in AES contest, if I am not mistaken. M. K. Shen -- From: [EMAIL PROTECTED] Subject: Rotor Machines and Alan Turing the father of modren cryptography Date: Sat, 11 Nov 2000 12:09:54 GMT In 1939, British intelligence, with the help of Polish spies, managed to obtain a working replica of a new and secret coding machine known as Enigma. Unfortunately, the Germans changed the machine settings (the key) on a daily basis. The British equivalent of the NSA, the Government Code and Cipher School, formed a Top Secret group set up for the purpose of developing a method for extracting the daily Enigma key from the morning messages, or traffic. Alan Turing, a brilliant mathematician and an expert in Boolean algebra, invented a computer, the Turing Bombe, which accomplished this feat. The first encrypted messages obtained in the morning with the new daily key (machine settings) were fed into the Bombe and when the relays quit clicking a clerk would read out the new key (machine settings), and then check it on a replica of the Enigma machine. The key was then passed on to other clerks using working replicas of the Enigma machine, who would decrypt the German messages as they came in for the rest of the day. Turing derived hi
Cryptography-Digest Digest #141
Cryptography-Digest Digest #141, Volume #11 Thu, 17 Feb 00 10:13:01 EST Contents: Re: Does the NSA have ALL Possible PGP keys? ([EMAIL PROTECTED]) elliptic curve DSA approved as US government standard (Alfred John Menezes) Re: EOF in cipher??? (JPeschel) Re: UK publishes 'impossible' decryption law (Richard Herring) NSA Linux and the GPL (John Savard) Re: EOF in cipher??? (Runu Knips) Re: Using virtually any cipher as public key system? (Mikko Lehtisalo) Re: Question about OTPs ("Tony T. Warnock") Re: Question about OTPs ("Dr.Gunter Abend") Re: Does the NSA have ALL Possible PGP keys? ("tiwolf") Re: Does the NSA have ALL Possible PGP keys? ("tiwolf") Re: EOF in cipher??? ([EMAIL PROTECTED]) Re: PhD in Cryptography? (Anton Stiglic) Re: Using virtually any cipher as public key system? (Anton Stiglic) Re: multi-precision integer C library (Nathan Kennedy) From: [EMAIL PROTECTED] Crossposted-To: comp.security.pgp,misc.survivalism Subject: Re: Does the NSA have ALL Possible PGP keys? Date: Thu, 17 Feb 2000 12:36:07 GMT In article [EMAIL PROTECTED], drickel [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED], "tiwolf" [EMAIL PROTECTED] wrote: Anything is possible given time, money, and talent. Government has nothing to do with it. In this case the government desire to control along with access to money (tax payers), and (through the obscene spending of the taxpayers money) talent. This makes the probability high that people will break any code given the right equipment and time. Bullshit. The universe operates according to laws (we might not know the laws, but we have some ideas). These laws cannot be broken, no matter how much money and talent you throw at it. Just for a start--most of Mozart's atoms are still around. How much money and talent would it take to find them all and put them back together? Say, exactly as he was, Jan 1, 1790, 0:00:00 GMT (it's ok to use replacement atoms for any that have split or fused in the interim). But beside of these calculation, one always have to bear in mind that mathematical breakthroughs have always been achieved and will be achieved in future. And as there aren't that many mathematicians in the world that work on number theoretic problems relevant to public key crypto, it might be possible to surveille them all. Most countries in the world have laws that allow to disclose information and research discoveries if the national security is concerned. So theoretically, any organization could be in knowledge of some mathematical breakthrough that makes decyphering PGP messages trivial. However, of course, this applies to *all* kind of cryptographic protocols and algorithms, and there's no reason to assume that any of such breakthroughs has been achieved. I don't know for sure, but maybe it's more reasonable to assume attacks on IDEA and CAST than on the public key crypto itself. What do you think? Greetings, Erich Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Alfred John Menezes) Subject: elliptic curve DSA approved as US government standard Date: 17 Feb 2000 12:44:58 GMT On February 15 2000, the National Institute of Standards and Technology (NIST) announced the revision to their Digital Signature Standard (DSS). The original DSS (FIPS 186) specified the Digital Signature Algorithm (DSA). FIPS 186 was revised in 1998 to include both the DSA and RSA signatures as described in ANSI X9.31. The revised standard is FIPS 186-1. The latest revision, FIPS 186-2, includes the elliptic curve analogue of DSA (ECDSA) as specified in ANSI X9.62. The latter was approved as an ANSI standard for financial applications in January 1999. What this means is that US government departments are free to choose between DSA, RSA and ECDSA when selecting a signature algorithm. This is a *major* endorsement for elliptic curve cryptography (ECC). Keep in mind that NIST is the organization that gave us DES, DSA, and SHA-1, and is now leading the AES effort. The FIPS 186-2 standard is available from NIST's web site. ECDSA is included in FIPS 186-2 simply by reference to ANSI X9.62. Unfortunately, there is a fee for obtaining the latter from the ANSI organization. If you would like to find out more about ANSI X9.62 ECDSA, download the paper "The Elliptic Curve Digital Signature Algorithm" that I wrote with Don Johnson from my web page www.cacr.math.uwaterloo.ca/~ajmeneze - Alfred -- From: [EMAIL PROTECTED] (JPeschel) Subject: Re: EOF in cipher??? Date: 17 Feb 2000 13:17:35 GMT Runu Knips [EMAIL PROTECTED] writes: FEOF is not standard. Which compiler defines such a strange variable ? EOF works well, because EOF is defined to be -1, while all characters are returned as nonnegative va
Cryptography-Digest Digest #141
Cryptography-Digest Digest #141, Volume #10 Mon, 30 Aug 99 15:13:02 EDT Contents: Re: Key Establishment Protocols - free chapter from Handbook of Applied Cryptography (John Savard) Re: Q: Cross-covariance of independent RN sequences in practice ("Trevor Jackson, III") Factorization of 512-bits RSA key (Herman J.J. te Riele) Re: What if RSA / factoring really breaks? (Bob Silverman) Re: WT Shaw temporarily sidelined (John Savard) Re: What if RSA / factoring really breaks? (Robert Harley) Re: 512 bit number factored (Bob Silverman) Re: 512 bit number factored (Anton Stiglic) Re: public key encryption - unlicensed algorithm ("shivers") Re: 512 bit number factored (DJohn37050) Re: 512 bit number factored (Anton Stiglic) From: [EMAIL PROTECTED] (John Savard) Subject: Re: Key Establishment Protocols - free chapter from Handbook of Applied Cryptography Date: Mon, 30 Aug 1999 16:54:20 GMT [EMAIL PROTECTED] (Alfred John Menezes) wrote, in part: Chapter 9 (Key Establishment Protocols). Actually, that's chapter 12. Chapter 9 was hash functions and data integrity. Given that your book was considered to be late enough in its life that it was included on the Dr. Dobb's CD-ROM, I suppose the publishing experiment is not entirely reckless, however much I may appreciate it. But I do have one nitpicking criticism, after having glanced at the chapter. An unauthenticated key exhange protocol is, by definition, not protected against forgery. But that doesn't mean that forgery is actually possible; the fact that key exchange requires authentication to protect it is a fact about the real world, which must be derived (from observation or whatever). Thus, it isn't really accurate to say that an unauthenticated KEP is vulnerable to forgery _by definition_. John Savard ( teneerf- ) http://www.ecn.ab.ca/~jsavard/crypto.htm -- Date: Mon, 30 Aug 1999 12:59:12 -0400 From: "Trevor Jackson, III" [EMAIL PROTECTED] Subject: Re: Q: Cross-covariance of independent RN sequences in practice [EMAIL PROTECTED] wrote: Mok-Kong Shen ([EMAIL PROTECTED]) wrote: : Because of imperfection in this world, e.g. impossibility of : making objects of exact sizes or attaining the temperature of absolute : zero, I suppose that there is a certain not too small lower bound of : the (average) value of the cross-covariance obtainable in practice. Since independent random sequences can be made at widely separated places, while many things have lower bounds due to imperfection, this is not one of the stronger examples. You would be surprised at how many decibels of separation are possible between the left channel of my stereo system, and the right channel of somebody else's stereo system in Nebraska. Well, there's a Grandmother who competes in the world's-loudest-car-stereo contest with a remote-control Jeep. It uses a 12 volt power system providing 11,000 amps to generate 45,000 watts of audio output. It was measured at 173.6 decibels. That's about a loud as a .50 BMG rifle, but continuously instead of a pulse. They might be able to hear that in Nebraska. -- From: [EMAIL PROTECTED] (Herman J.J. te Riele) Crossposted-To: sci.crypt.research Subject: Factorization of 512-bits RSA key Date: 30 Aug 1999 18:07:09 GMT Reply-To: [EMAIL PROTECTED] (Herman J.J. te Riele) Factorization of a 512-bits RSA key using the Number Field Sieve On August 22, 1999, we found that the 512-bits number RSA-155 = 1094173864157052742180970732204035761200373294544920599091384213147634\ 9984288934784717997257891267332497625752899781833797076537244027146743\ 531593354333897 can be written as the product of two 78-digit primes: 102639592829741105772054196573991675900716567808038066803341933521790711307779 * 106603488380168454820927220360012878679207958575989291522270608237193062808643 Primality of the factors was proved with the help of two different primality proving codes. An Appendix gives the prime decompositions of p +- 1. The number RSA-155 is taken from the RSA Challenge list (see http://www.rsa.com/rsalabs/html/factoring.html). This factorization was found using the Number Field Sieve (NFS) factoring algorithm, and beats the 140-digit record RSA-140 that was set on February 2, 1999, also with the help of NFS [RSA140]. The amount of computer time spent on this new factoring world record is estimated to be equivalent to 8000 mips years. For the old 140-digit NFS-record, this effort was estimated to be 2000 mips years. Extrapolation using the asymptotic complexity formula for NFS would predict approximately 14000 mips years for RSA-155. The gain is caused by an improved application of the polynomial search method used for RSA-140. For information about NFS, see [LL]. For additiona
Cryptography-Digest Digest #141
Cryptography-Digest Digest #141, Volume #9 Thu, 25 Feb 99 18:13:03 EST Contents: Re: Another extension to CipherSaber (wtshaw) My Book "The Unknowable" ([EMAIL PROTECTED]) Re: Define Randomness (R. Knauer) Re: Define Randomness (R. Knauer) Re: Define Randomness (John Savard) Re: Define Randomness (Herman Rubin) Re: Pentium III Hardware Random Numbers (Terry Ritter) Not Quite Unbreakable... (John Savard) Re: Snake Oil (from the Feb 99 Crypto-Gram) (Jim Dunnett) Re: Define Randomness (R. Knauer) Re: Quantum Computation and Cryptography (R. Knauer) Re: Testing Algorithms (Withheld) Re: True Randomness - DOES NOT EXIST!!! (BRAD KRANE) Re: Pentium III Hardware Random Numbers ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (wtshaw) Subject: Re: Another extension to CipherSaber Date: Thu, 25 Feb 1999 13:52:16 -0600 In article [EMAIL PROTECTED], Darren New [EMAIL PROTECTED] wrote: Trying to narrow design standards for crypto to meet ever more-restrictive criteria results in the ultimate end of having only one crypto algorithm that can meet them; this is exactly what some want to happen, and to be sure that it is a appropriately crippled product to boot. We're not talking about crypto algorithms here. We're talking about ASCII armoring algorithms. I see no possible reason why you'd want everyone inventing their own ASCII armoring algorithms just for arbitrary divergence. There's a good reason for lots of different crypto algorithms, but none of those reasons apply to making binary go thru email. To consider that all useful crypto algorithms are binary is really a mistake, and I always chuckle when I see the term *ASCII Armoring* since there is nothing sacred about any particular character set or any particular information unit. To think otherwise is to highly bias and restrict crypto in unneeded ways, whch can include a natural pathway to good emailability. Two of the most important considerations in an encryption package are the nature of the plaintext allowed and the nature of the ciphertext desired. There is no reason that a composite of all criteria cannot be merged. The point that I am trying to make with my current series of simple, perhaps dumb, block ciphers, is that the cosmetics of input and output sets can be fully integrated into an algorithm. The middle layer, the actual encryption one is apt to recognize, can be of more substantial qualitites that those which I present. If you favor bit manipulations, fine; if you want to do something else, fine; if you want to mix building blocks in a new method; fine again. The possibilities are almost endless. I wish to point out with these efforts that neo-classical methods can be most useful, and extended in many ways; the choice is not simply between *broken* classical ciphers, meant to be done entirely by hand, and with a limited few promising methods that many are working with toward narrow criteria, example, in the AES process. It may come as a shock that all good cryptography is not defined in a closed manner, but is really more expansive than almost anyone can consider. I have my favorite areas, and am apt to stub my toe quickly in those I have not spent much time, but others have, and the reverse is also true. It is in the best interests of crypto that as many people go in as many directions as possible. It may be that we never hear again of some of them, but it is better to report whatever one finds, as best one can. -- A much too common philosophy: It's no fun to have powerunless you can abuse it. -- From: [EMAIL PROTECTED] Crossposted-To: sci.math,sci.physics,sci.logic Subject: My Book "The Unknowable" Date: Thu, 25 Feb 1999 21:14:36 GMT Hi, just wanted to say that my book The Unknowable will be published this spring by Springer-Verlag. Meanwhile you can still preview it at http://www.umcs.maine.edu/~chaitin/unknowable and http://www.cs.auckland.ac.nz/CDMTCS/chaitin/unknowable Rgds, Greg Chaitin = Posted via Deja News, The Discussion Network http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own -- From: [EMAIL PROTECTED] (R. Knauer) Subject: Re: Define Randomness Date: Thu, 25 Feb 1999 21:17:22 GMT Reply-To: [EMAIL PROTECTED] On 25 Feb 1999 13:21:44 -0500, [EMAIL PROTECTED] (Patrick Juola) wrote: It can't cause correlations to emerge unless they were already there. But isn't there some small amount of correlation in any stream that is produced by a physical device? Furthermore, if one has a RNG that produces bias, would not that same RNG also produce correlations? IOW, don't the two come together? If you're asking whether it can possibly make an already correlated stream worse, the answer is yes Exactly. If you chose a physical process that is inherently b