Cryptography-Digest Digest #172
Cryptography-Digest Digest #172, Volume #14 Wed, 18 Apr 01 04:13:01 EDT Contents: Re: Lorentz attractor... ("Douglas A. Gwyn") Re: LFSR Security (David Wagner) Re: Size of dictionaries ("Douglas A. Gwyn") Re: "UNCOBER" = Universal Code Breaker ("Douglas A. Gwyn") Re: "UNCOBER" = Universal Code Breaker ("Douglas A. Gwyn") Re: Note on combining PRNGs with the method of Wichmann and Hill (Bryan Olson) Re: XOR_TextBox: Doesn't write to swap file if... (Anthony Stephen Szopa) Re: LFSR Security (Tim Tyler) Re: Size of dictionaries (wtshaw) Re: XOR TextBox Freeware: Very Lousy. (David Schwartz) Re: Incomplete Blocks in Twofish ("Mike Moulton") Re: C code for GF mults ("Brian Gladman") Re: C code for GF mults (David Eppstein) Re: C code for GF mults ("Brian Gladman") From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Lorentz attractor... Date: Wed, 18 Apr 2001 03:21:15 GMT Richard Heathfield wrote: It was, in fact, a young tabby kitten who engineered the only ciphertext-based OTP break in history. The incident is shrouded in suspicious mystery, but we *can* be sure that the kitten in question belonged to a Mr Schroedinger. What he did to the kitten, when he discovered that it had learned his secret, remains uncertain. We don't even know if the cat in question is still alive. -- From: [EMAIL PROTECTED] (David Wagner) Crossposted-To: sci.crypt.random-numbers Subject: Re: LFSR Security Date: 18 Apr 2001 03:21:22 GMT Scott Fluhrer wrote: One obvious way to extend this is to make the wild claim that, if the keystream bits you do have, there exists a a_0 a_1 ... a_{n+1} and n-1 distinct r_0, ..., r_{n-2}, you know the keystream output for b_{a_i + r_j} for all i, j, then you can derive the taps for a virtual LFSR (which hopefully isn't too hard to translate back into the normal form). Ooh, nice. Sounds promising. Yes, it seems plausible that if you can find the taps for a virtual LFSR, one can hope to recover the taps of the original LFSR. Your virtual LFSR is basically a recurrence relation b_{m+r_0} + b_{m+r_1} + ... + b_{m+r_n} = 0 for all m. The associated polynomial is q(x) = x^r_0 + x^r_1 + .. + x^r_n. Now the LFSR's polynomial is a divisor of q(x), so if you factor q(x), you can get some candidates for the LFSR taps. Alternatively, if you get a few such q(x)'s, you can take their gcd. It seems to me that one of the major remaining questions is this: Suppose we know the keystream at some set of positions S (i.e., we known b_s for s in S). How do we find a_i's and r_j's so that a_i + r_j is in S for all i,j? Moreover, how much known text is needed to ensure that such a_i,r_j's exist? To rephrase the first question: We have a set S. We want to find a pair of sets, A and R, of cardinality = n such that A+R is a subset of S. Here A+R denotes {a+r : a in A, r in R}, and A represents the set of a_i's, R the set of r_j's. How large does S need to be? Can we find A,R efficiently? -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Size of dictionaries Date: Wed, 18 Apr 2001 03:29:50 GMT Jim Gillogly wrote: ... An example might be communicating with scientists on the 30-year Titan probe, assuming they had lost the use of their main antenna and can receive mail on only a very limited-bandwidth umbrella-sized telemetry antenna. ... Indeed, deep-space communication throughput is very limited even if one *can* use the main antenna. Another way of putting it is that effective high-speed communication over such distances requires far more power than is practical to provide. In order to improve the effective bit rate, heavy use is made of error-correcting coding of the information, and the information is made as compact as possible in the first place. That's where application-specific dictionaries can play an important role. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Wed, 18 Apr 2001 03:30:50 GMT newbie wrote: Has cryptograhers thought to universal way to break any code? Have you? -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Wed, 18 Apr 2001 03:35:42 GMT newbie wrote: This theory has to answer why is OTP likely unbreakable. It is not so sure. It is sure only in theory. Because the language domain is not infinite. There is not only redundancy is using the alphabet. There is redundancy in plain-text using. ... Put simply, you do not know what you're talking about. It is *easy* to show that a OTP properly employed provides no information to the eavesdropper that he did not already
Cryptography-Digest Digest #172
Cryptography-Digest Digest #172, Volume #13 Fri, 17 Nov 00 00:13:01 EST Contents: Re: My new book "Exploring RANDOMNESS" ("Matt Timmermans") Re: vote buying... ("Trevor L. Jackson, III") Re: vote buying... ("Trevor L. Jackson, III") Breaking Leviathan (Paul Crowley) Re: vote buying... ("Trevor L. Jackson, III") Re: vote buying... ("Trevor L. Jackson, III") Re: vote buying... ("Trevor L. Jackson, III") Re: And you FBI people reading my messages ... this is just starting .. :) ... I know you are there . ("Alien8") short encripted message (my first first cript agor) ("Alien8") Rijndael: Impossible differential cryptanalysis on 5 rounds ([EMAIL PROTECTED]) Rijndael: Impossible differential cryptanalysis on 5 rounds ([EMAIL PROTECTED]) Re: vote buying... (Paul Rubin) DES question: Has this ever been proven before? (Raphael Phan) From: "Matt Timmermans" [EMAIL PROTECTED] Crossposted-To: sci.math,sci.logic Subject: Re: My new book "Exploring RANDOMNESS" Date: Fri, 17 Nov 2000 03:13:21 GMT "Greggy" [EMAIL PROTECTED] wrote in message news:8v21tv$eoh$[EMAIL PROTECTED]... [...] In fact, have you considered making the book online and free to read through? I for one have no curiosity for such a book if I have to pay for it. Sounds like snake oil. Or can I get my money back if I don't think it was worth the price? Heh. Did you actually notice _who_ wrote the book? -- Date: Thu, 16 Nov 2000 22:16:32 -0500 From: "Trevor L. Jackson, III" [EMAIL PROTECTED] Subject: Re: vote buying... David Schwartz wrote: Paul Rubin wrote: That traceability is bad even if the election officials are honest and the election is fair. Years later, Sheriff Bubba has worked his way up to being Supreme Dictator Bubba, has the election officials executed and gets the archived code numbers and uses the ballot data to locate everyone who voted against him. Won't work. It'll just give him the code numbers of everyone who voted against him. Remember, we were talking about a case where a citizen presents his electronic voting receipt to an official. You are looking at a scheme specifically designed to provide X and complaining that it doesn't provide Y. Of course not, it isn't designed to. Unless you want to argue that no scheme can provide both X and Y, your argument is pointless. I may have missed something but I think I agree with this. Any scheme that solves all problems must do both X and Y, where X and Y are in conflict with each other. What goal is in conflict with what goal? The goal of being able to check votes after the election (to detect fraud) is in conflict with the goal of not being able to check the votes (to protect voter secrecy). So long as you need the voter's help to check them, you can easily meet both goals. Not quite. If the voter can prove the validity of his vote than a person threatening the voter can force him to reveal the validity token. The only way to protect the voter is to permit him to present a fake validity token. But that conflicts with the fraud detection mechanism because it can be used to hide fraud. -- Date: Thu, 16 Nov 2000 22:30:02 -0500 From: "Trevor L. Jackson, III" [EMAIL PROTECTED] Subject: Re: vote buying... David Schwartz wrote: Paul Rubin wrote: David Schwartz [EMAIL PROTECTED] writes: That traceability is bad even if the election officials are honest and the election is fair. Years later, Sheriff Bubba has worked his way up to being Supreme Dictator Bubba, has the election officials executed and gets the archived code numbers and uses the ballot data to locate everyone who voted against him. Won't work. It'll just give him the code numbers of everyone who voted against him. Remember, we were talking about a case where a citizen presents his electronic voting receipt to an official. Nope. Remember, Bubba already got the receipts from the voters back when he was still Sheriff and couldn't decode them. Now he can decode them and there is hell to pay. He only got the receipts of those people who contested the vote. And he can't even be sure that the people who present the contest are the original voters. All he knows is that someone presented a voting receipt for a vote for candidate X and that this vote wasn't correctly counted for candidate X. Unless the system totally breaks down, the number of people issuing such disputes should be very small. The disputes could even be done anonymously. All that's needed to process the dispute are the numbers on the voting receipt. The goal of being ab
Cryptography-Digest Digest #172
Cryptography-Digest Digest #172, Volume #12 Fri, 7 Jul 00 02:13:00 EDT Contents: Re: Some dumb questions (John Savard) Re: Any crypto jokes? (potentially OT) ("Paul Pires") Re: Quantum Computing (Was: Newbie question about factoring) (TIEMANN BRUCE) Re: Prime Numbers? (TIEMANN BRUCE) Re: Prime Numbers? (David Lancashire) Re: A thought on OTPs (Joe Nilaad) Re: Compression Encryption in FISHYLAND (Kurt Shoens) Re: Hash and Entropy (Benjamin Goldberg) Re: Prime Numbers? (Nicol So) Re: Hash and Entropy (JPeschel) Re: Any crypto jokes? (potentially OT) (Guy Macon) Porting Keys Between PGP, other Apps ("Ed Suominen") From: [EMAIL PROTECTED] (John Savard) Subject: Re: Some dumb questions Date: Fri, 07 Jul 2000 00:21:15 GMT On Thu, 06 Jul 2000 17:40:00 +0200, Mok-Kong Shen [EMAIL PROTECTED] wrote, in part: Under which chapter/section of your webpage is the material about SIGCUM? (Sorry that I did only a quick search.) It's at http://home.ecn.ab.ca/~jsavard/crypto/te0305.htm The original version had 13 live wires into five rotors, with five wires out giving the bits to XOR with a teleprinter character. But the improved version had five live wires in, and the wires going out were wired together from three rotor contacts, so the chance of a bit being a one changed to 48.846%. Thus, getting rid of correlations must have been considered as much more important than a little bias. John Savard (teneerf -) http://www.ecn.ab.ca/~jsavard/crypto.htm -- From: "Paul Pires" [EMAIL PROTECTED] Subject: Re: Any crypto jokes? (potentially OT) Date: Thu, 6 Jul 2000 17:49:32 -0700 I am truly impressed with the volume and rational appearance of this post. Does your day job require hip waders too? Paul . Trevor L. Jackson, III [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] wrote: How many cryptographers does it take to change a light bulb? Changing the light bulb is too hard (there can only be one AES, so we'll never change anything). Turning on the light is about the right speed. One needs to attempt every possible set of combinations of electrical switches, including the fuse box, in order to determine which set of subsets of possible combinations enable the light. This technique fails in the presence of acoustic switches and BSR X-10 modules. Acoustic switches turn on the light and keep it on for a predetermined period following the last significant sound. Controlling the lights in the presence of acoustic switches requires an analysis of the sensitivity settings of the switches. Thus each switch must be individually exhaustively exercised to determine the required volume level at each activation frequency. This requires a form of differential spectral analysis which is beyond the scope of this joke. BSR X-10 modules permit remote control of the light. Since the switches are typically controlled by a computer (or close facsimile) finding all of the possible controls that enable the light is equivalent to the halting problem for the computer. So deciding how to turn on the light is undecidable. Actually turning on the light requires even more effort. In this situation the author respectfully suggests candles. -- From: [EMAIL PROTECTED] (TIEMANN BRUCE) Crossposted-To: comp.theory Subject: Re: Quantum Computing (Was: Newbie question about factoring) Date: 7 Jul 2000 01:06:09 GMT In article [EMAIL PROTECTED], Paul E. Black [EMAIL PROTECTED] wrote: Nick Maclaren wrote: However, some people believe that building a quantum computer is an exponentially complex problem, Interesting. Could you give more details, for instance, who believes that or what goes into it? For instance, is it that designing a quantum computer is exponentially complicated, or constructing it (an exponential number of steps needed)? -paul- -- Paul E. Black ([EMAIL PROTECTED]) I have heard that quantum computers require as many bits in the readout of some analog state as qbits in the data; thus, readout of a quantum state to the nearest percent provides ~6-7 bits accuracy. Reading out that state to ppm-level accuracy would provide 20 qbits. By the way, ppm-level accuracy - not precision, accuracy - is extremely difficult, and would afford only 20 bits, hardly enough to get excited about. Digging for the next sigfig in the readout of some analog data is exponentially harder than was the last one. This may have some bearing to the problem. -- From: [EMAIL PROTECTED] (TIEMANN BRUCE) Subject: Re: Prime Numbers? Date: 7 Jul 2000 01:11:41 GMT In article 8k2g60$8le$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: I understand the distinction now, thank you. I had read an explanation of Euclid's proof in an article in Scientifc American july 1988 p.
Cryptography-Digest Digest #172
Cryptography-Digest Digest #172, Volume #11 Mon, 21 Feb 00 05:13:02 EST Contents: Re: Processor speeds. ("Douglas A. Gwyn") I will bring PGP to the masses h20 (PGP_for_ALL) Re: OAP-L3 Encryption Software - Complete Help Files at web site ("Douglas A. Gwyn") I will bring PGP to the masses h15 (PGP_for_ALL) efficiency of ecash schemes (ahbeng) Re: OAP-L3 Encryption Software - Complete Help Files at web site (Anthony Stephen Szopa) Re: Does the NSA have ALL Possible PGP keys? (John Underwood) Re: I stole also the diary and calendar of Markku J. Saarelainen ("ink") Re: EOF in cipher??? (Mok-Kong Shen) Re: Processor speeds. (Mok-Kong Shen) Re: NIST publishes AES source code on web (Mok-Kong Shen) Re: Keys Passwords. (Mok-Kong Shen) From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Processor speeds. Date: Mon, 21 Feb 2000 06:17:24 GMT "John E. Kuslich" wrote: ... The performance they achieve on ray trace software would not be possible using the classic CRAY boat anchor computer. Ray tracing is the epitome of a *parallel* task (each pixel can be computed independently), while Cray computers have been *vector* machines. Also, as I noted previously, supercomputers normally have incredibly high I/O performance, which cannot be matched by distributed PCs. You should use the appropriate tool for the appropriate task. By the way, we at BRL were perhaps the first to distribute ray tracing among multiple computers on a local network. (We used big, fast SGIs rather than puny PCs, however.) We also had a couple of Crays and other supercomputers, but we didn't waste them on much of our ray-traced imaging workload. -- Date: 19 Feb 2000 14:17:06 - From: PGP_for_ALL Use-Author-Address-Header@[127.1] Subject: I will bring PGP to the masses h20 I will bring PGP to the masses PGP can be used by all, can be used by the masses, but not in the current implementation. I have the strategic information to make PGP product to be used by all the internet e-mail active users not only by elite, educated and sophisticated computer equipment users. I need to get association from influential entrepreneurial people to back me up, to provide "invisible" success shield. I know that to have undisputed solutions does not bear much success before they are backed by influential people. The key here is the "influential people". As the history proved many times in the past, many outstanding ideas has been lost due to the lack of influential back up at the first presentation. I see the enormous prestigious financial benefits to be gained by PGP company, at the same time I would like not be "left on the street homeless hungry" after disclosing my research findings to appropriate people. I'm using PGP encryption tools for very long time. I know understand almost from the beginning the importance of the benefits associated with mass market encryption. I know understand almost from the beginning the problems associated with the PGP software that shaped the past, and most importantly had very detrimental impact on the wider spread use of this extraordinary product. In 1999 I realized the fact that PGP is the undisputed encryption tool in use. On the other hand, I realized that PGP saturation is to fare from the accepted level, from the level to be named "used by the masses". To say in other words, PGP is not used, is not accepted, will not be used, will not be accepted by almost every user on the internet, until strategic changes, changes that I'm proposing will be implemented. The past PGP development, the past release versions, the current version and the undertaken development that will lead to future versions, are sufficiently enough to indicate that PGP will not reach the "mass market saturation level" without my proposed strategic changes. This is contrary to the undisputed benefits that are provided by this excellent software. Here are coming my observations research. All of my suggestions indicates that all of the above can be very easily changed, changed to make possible for the PGP to become mass market product. I have the strategic information proposed required changes that should be made to make PGP accepted by the masses, by all the uses of the e-mail encryption. My ideas are proven by the past implemented strategies, the past examples of the mass market products services. My ideas are based on the unsuccessful past products that make to the mass market after changing global strategies. My key is at http://www.mit.edu:8001/finger?[EMAIL PROTECTED] I'm physically located in the NYC. My PGP_for_ALL account is not ANON protected, I'm using it for the anti SPAM filtering purposes only. -- From: "Douglas A. Gwyn" [EMAIL PROTEC
Cryptography-Digest Digest #172
Cryptography-Digest Digest #172, Volume #10 Sat, 4 Sep 99 02:13:03 EDT Contents: Re: NSA and MS windows (Bruce Schneier) Re: 512 bit number factored (Bob Silverman) Re: 512 bit number factored (Paul Rubin) Re: Alleged NSA backdoor in Windows CryptoAPI (Bruce Schneier) THE NSAKEY (SCOTT19U.ZIP_GUY) Re: Schneier/Publsied Algorithms (Bruce Schneier) Re: 512 bit number factored (Eric Young) Re: Does SSL use RSA Keys? (Eric Young) Re: 512 bit number factored (Paul Rubin) Re: NSA and MS windows ("Thomas J. Boschloo") From: [EMAIL PROTECTED] (Bruce Schneier) Subject: Re: NSA and MS windows Date: Sat, 04 Sep 1999 02:04:58 GMT On Fri, 03 Sep 1999 14:27:30 -0700, Michael Slass [EMAIL PROTECTED] wrote: According to http://www.cnn.com/TECH/computing/9909/03/windows.nsa/ "(CNN) -- A cryptography expert says that Microsoft operating systems include a back door that allows the National Security Agency to enter systems using one of the operating system versions. A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace. Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd expect out of Microsoft. Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes. I don't buy it. First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption. Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security. Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert. I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that. Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use. But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses. My original article: http://www.counterpane.com/crypto-gram-9904.html#certificates Announcement: http://www.cryptonym.com/hottopics/msft-nsa.html Nice analysis: http://ntbugtraq.ntadvice.com/default.asp?sid=1pid=47aid=52 Useful news article: http://www.wired.com/news/news/technology/story/21577.html ** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com -- From: Bob Silverman [EMAIL PROTECTED] Subject: Re: 512 bit number factored Date: Sat, 04 Sep 1999 02:32:56 GMT In article [EMAIL PROTECTED], [EMAIL PROTECTED] (DJohn37050) wrote: OK, some here are some reworded questions on RSA key size for Bob, Wei and anyone else to comment on: 1. My understanding is that the GNFS has 2 steps: (A) Gathering equations, which can be done in parallel with little memory As I said, 700 bits would require 2-3 Gbytes per machine to do the sieving. If you choose to call this '