Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #14 Tue, 5 Jun 01 20:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: One last bijection question (Berton Allen Earnshaw) Are RS codes a type of PRF? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) CTR mode, BICOM, and hiding plaintext length (David Hopwood) Re: BBS implementation (David Hopwood) Re: Def'n of bijection (David Hopwood) Lim-Lee vs safe primes for DH (David Hopwood) curious about MD3 (Tom St Denis) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: One last bijection question (Douglas A. Gwyn) Re: CTR mode, BICOM, and hiding plaintext length (SCOTT19U.ZIP_GUY) Re: One last bijection question (Douglas A. Gwyn) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Jun 2001 22:32:39 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Tom St Denis [EMAIL PROTECTED] wrote: : : : Tim Tyler [EMAIL PROTECTED] wrote in message : : : Tom St Denis [EMAIL PROTECTED] wrote: : : : : Yes there will be equivalent keys but not enough to tell from : : : : random. : : : : : : Tell /what/ from random. : : : : : Tell the plaintext. [...] : : : : I can very likely tell a randomly chosen plaintext from the decrypt of : : an 1 byte cyphertext using CTR mode. : : : : Does the random plaintext have only 8 bits? If not, I can immediately : : distinguish them. : : : Yes, but you are just brute forcing the key space. [...] : : Nope - just checking lengths. : WHY DOES THE LENGTH AUTOMATICALLY GIVE YOU THE MESSAGE? It doesn't. I never claimed it did. : : Ah - you're sliding in that for a single byte only... : : : : As though we're discussing the trivial case of only 256 possible : : messages... : : : Um yes that's what we were f$$$ talking about. For geez sakes stay on : : the same model! : : We are *not* discussing the case of 256 possible messages. Both BICOM and : CTR mode can encrypt *any* possible message. : : Given this wide distribution of possible messages, we are asking what : security is offered when encrypting a particular 8-bit message in BICOM : and CTR mode. : : BICOM with a 128 bit key maps it to one of 2^128 possible messages. : CTR mode maps it to one of 256 messages. : : The latter produces an 8-bit cyphertext with only 256 possible : interpretations. : : If you happened to know the message consisted entirely of space : characters, you could uniquely identify the message! : C = 88 5e f7 fe c1 78 f0 6d 61 c8 bc ac 3a a1 09 ae 12 6b 4e 46 58 : What is P? Apparently unable to produce any other coherent reply, Tom presents me with another of his idiotic challenges again :-( : : Of course it's not provably secure - unless you think only having 256 : : possible plaintexts out of the possible billions is something : : worthwhile. : : : : We're trying to stop the attacker getting information about the : : message. : : Giving him the length of the message on a plate is a terrible start. : : : Why? Tell me how you can find K from C knowing the length? : : : Just tell me why it's a problem. : : You go round and round in circles. I've responded in some detail to both : these questions already. : Well those are real questions. [...] Which - as I have stated - I have already replied to, at least once. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Berton Allen Earnshaw [EMAIL PROTECTED] Subject: Re: One last bijection question Date: 05 Jun 2001 16:31:15 -0600 Just to clarify: the words 'bijection' and 'isomorphism' are not the same thing. An isomorphism must also preserve the operations of the two sets, while a bijection has no such requirement. For example, if (A,x) and (B,X) are both groups with x being the group-operation of A and X the group-operation of B, and if f : A-B is an isomorphism, then f is a bijection *and* for all y,z in A, f(y x z) = f(y) X f(z), i.e, f preserves the respective group-operations. -- Berton Earnshaw - [EMAIL PROTECTED] -- From: Tom St Denis [EMAIL PROTECTED] Subject: Are RS codes a type of PRF? Date: Tue, 05 Jun 2001 22:45:55 GMT As far as I can tell RS codes (Reed-Solomon) are form of error correction codes (???) that were (as an example) used in Twofish to map 8 bytes downto 4 bytes such that the distance is 5 bytes. So could we make a 8-byte Feistel by appending a 4 byte key to one half to make the 8 bytes then compute the RS code on it? Do the remaining unfixed four bytes form a permutation
Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #13 Tue, 23 Jan 01 13:13:01 EST
Contents:
Re: Any cryptoanalysis available for 'polymorphic ciphers'? (Joachim Scholz)
Conway Polynomials (Andrei Heilper)
Re: Conway Polynomials (Mehdi-Laurent Akkar)
magazine cryptologia... ("Danijel Kopcinovic")
Re: Conway Polynomials (Mehdi-Laurent Akkar)
Re: Any cryptoanalysis available for 'polymorphic ciphers'? ("Jakob Jonsson")
Re: A Small Challnge ("Frog2000")
Cryptographic Windows APIs or OCX? (Armando P.)
Question: Heard of ENCIPHERMENT COMMUNICATIONS? ("Melinda Harris")
Re: Dynamic Transposition Revisited (long) ("John A. Malley")
Re: Why Microsoft's Product Activation Stinks (JCA)
Re: Conway Polynomials ("Brian Gladman")
Re: magazine cryptologia... (Mok-Kong Shen)
Re: magazine cryptologia... (Quisquater)
Re: Any good source of cryptanalysis source code (C/C++)? (Bob Silverman)
Re: secure RNG (Paul Crowley)
Producing "bit-balanced" strings efficiently for Dynamic Transposition (John Savard)
Re: Fitting Dynamic Transposition into a Binary World (John Savard)
From: Joachim Scholz [EMAIL PROTECTED]
Subject: Re: Any cryptoanalysis available for 'polymorphic ciphers'?
Date: 23 Jan 2001 15:21:07 +0100
Mok-Kong Shen [EMAIL PROTECTED] writes:
I tried to download the pdf file (English version) several
times but the process seemed to stuck each time.
The pdf file contains the same information (or lack of it) as the web
page.
Kind regards, Joachim Scholz
--
From: Andrei Heilper [EMAIL PROTECTED]
Subject: Conway Polynomials
Date: Tue, 23 Jan 2001 17:05:09 +0200
There has been a discussion about primitive and irreducible polynomials.
The finite fields in Magma are constructed using what they called
"Conway polynomials". Doeas somebody knows what is the definition of
these polynomials.
Andrei Heilper
--
From: Mehdi-Laurent Akkar [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Conway Polynomials
Date: Tue, 23 Jan 2001 15:03:15 GMT
The Conway polynomial C_(p, n) is the lexicographically first monic
irreducible, primitive polynomial of degree n over GF(p) with the property
that it is consistent with all C_(p, m) for m dividing n. Consistency of
C_(p, n) and C_(p, m) for m dividing n means that for a root alpha of C_(p,
n) it holds that beta = alpha^((p^n - 1)/(p^m - 1)) is a root of C_(p, m).
Lexicographically first is with respect to the system of representatives
-((p - 1)/2), ..., - 1, 0, 1, ..., ((p - 1)/2) for the residue classes
modulo p, ordered via 0 - 1 1 - 2 ... ((p - 1)/2) (and we only need
to compare polynomials of the same degree). To compute the Conway
polynomial C_(p, n) one needs to know all Conway polynomials C_(p, m) for m
dividing n, and as far as we know, no essentially better method is known
than enumerating and testing the primitive polynomials of degree n in
lexicographical order.
More information: www.google.com
A+ MLA
Andrei Heilper a écrit :
There has been a discussion about primitive and irreducible polynomials.
The finite fields in Magma are constructed using what they called
"Conway polynomials". Doeas somebody knows what is the definition of
these polynomials.
Andrei Heilper
--
From: "Danijel Kopcinovic" [EMAIL PROTECTED]
Subject: magazine cryptologia...
Date: Tue, 23 Jan 2001 15:15:42 -0800
anyone knows where i could get some articles published in "cryptologia"
magazine?
thx!
--
From: Mehdi-Laurent Akkar [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Conway Polynomials
Date: Tue, 23 Jan 2001 15:13:13 GMT
and as far as we know, no essentially better method is known
than enumerating and testing the primitive polynomials of degree n in
lexicographical order.
Better methods seem to be known but I do not know their efficiency
see for more details
http://ei.cs.vt.edu:8090/Dienst/UI/2.0/Describe/ncstrl.vatech_cs%2fTR-98-14
A+ MLA
More information: www.google.com
A+ MLA
Andrei Heilper a écrit :
There has been a discussion about primitive and irreducible polynomials.
The finite fields in Magma are constructed using what they called
"Conway polynomials". Doeas somebody knows what is the definition of
these polynomials.
Andrei Heilper
--
From: "Jakob Jonsson" [EMAIL PROTECTED]
Subject: Re: Any cryptoanalysis available for 'polymorphic ciphers'?
Date: Tue, 23 Jan 2001 16:16:45 +0100
Hello, on
http://www.identification.de/crypto/descript.html
a method is described which the authors call 'polymorphic
encryption'. They claim it to be the most secure algorithm on the
market. Of course, this is a site where the authors want to promote
Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #11 Tue, 11 Apr 00 23:13:01 EDT
Contents:
Re: permutation polynomials (more) (Mike Rosing)
Re: Looking for crypto short course or workshop (Mike Rosing)
Re: Quantum Teleportation (Mike Rosing)
Re: strength of altered vigenere cipher? (Mok-Kong Shen)
Corellations ([EMAIL PROTECTED])
Re: Corellations (mark carroll)
Compaq invents more efficient RSA?! (Felix von Leitner)
Re: Is AES necessary? (wtshaw)
Re: are self-shredding files possible? (Frank Gifford)
Re: Q: Entropy (Bryan Olson)
Re: Encode Book? (lordcow77)
manual cypher (MCTER) (=?ISO-8859-1?Q?Jacques_Th=E9riault?=)
Re: Q: Inverse of large, sparse boolean matrix, anyone? (Gadi Guy)
Re: DNA steganography (wtshaw)
Re: Compaq invents more efficient RSA?! (DJohn37050)
Re: Q: Petri nets (wtshaw)
Re: are self-shredding files possible? ("david hopkins")
Re: Looking for crypto short course or workshop (David A Molnar)
Re: Hash function based on permutation polynomials (Tom St Denis)
From: Mike Rosing [EMAIL PROTECTED]
Subject: Re: permutation polynomials (more)
Date: Tue, 11 Apr 2000 11:12:53 -0500
Tom St Denis wrote:
I want the biggest order I can get, i.e p states. But I didn't think
you could have primitive polynomials [mod composite]... am I wrong?
Something like
P(x) = 2x^2 + x, is a permutation polynomial, but is not primitive...
If you have an even x, you stay even forever. So at best this is a
1/2 maximum period.
Something else you might want to check out that would work is called
the Zech logarithm. It should give you maximum permutation period, but
I'm not sure how linear it is.
Patience, persistence, truth,
Dr. mike
--
From: Mike Rosing [EMAIL PROTECTED]
Subject: Re: Looking for crypto short course or workshop
Date: Tue, 11 Apr 2000 11:32:08 -0500
Kim J.-H. wrote:
I would like to want to know about crypto short course or workshop to be
held.
The topic may be general or specific.
I am waiting for your guidance.
Christof Paar just posted news of a 4 day course at Worchester
Polytechnic.
He's also got a workshop in August. It's a long ways from Korea tho!
Patience, persistence, truth,
Dr. mike
--
From: Mike Rosing [EMAIL PROTECTED]
Subject: Re: Quantum Teleportation
Date: Tue, 11 Apr 2000 11:47:14 -0500
Doug Goncz wrote:
Can any of you here make any connections between these four topics?
I hope I'm not way OT, and that this isn't too speculative. If so, might you
direct me? I saw very little in sci.crypt.research the other day. Like three
posts.
Please feel free to go way out there. I'm interested in novel insights as well
as anything well recognized. I can certainly look up any references at the
university library. I'll take your suggestions that seriously, I promise. This
is not idle chatter.
The problem is in mixing scales. What happens in a quantum experiment
doesn't
easily translate to machine scale. A quantum model of GABA (a
neuro-transmitter
molecule) would be a fantastic leap of knowledge at this point. A
quantum model
of "everyday things" is just too far off for us to imagine. Not that it
can't
be done eventually, it's just way outside our ability today.
You can call a cell a "machine". It's so complicated we don't
understand it
all yet. Once we do, building self replicating machinary won't be all
that
difficult. But I suspect there are quantum tricks happening at the
sub-molecular
level which helps things work, and you won't be able to do that on a
machine
that's too large. Some day we might be able to build "cellular
machines", but
I bet they won't compare well to living organisms.
This is kind of way OT, so if you want to have further discussion, send
me e-mail
at [EMAIL PROTECTED]
Patience, persistence, truth,
Dr. mike
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: strength of altered vigenere cipher?
Date: Tue, 11 Apr 2000 20:13:38 +0200
Paul Koning wrote:
Mok-Kong Shen wrote:
The strength question has been answered by others. I just want
to say that, if you want to use polyalphabetic substitution,
then don't use Vigenere with all alphabets being shifted versions
of one another but use so-called independent alphabets (i.e.
the the characters of the alphabets are randomly ordered) and
long keys.
That will only help a little. As soon as I get enough ciphertext,
I can determine the period (key length) and at that point the
problem reduces to that many simple substitution ciphers. If the
key length is less than 3% or so of the message length, you're
in trouble...
It depends upon how many alphabets you have and whether you can
get actually 'enough' ciphertext that you need. The security of
a cipher system is determined by many factors and no practically
avail
Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #10 Tue, 9 Nov 99 03:13:06 EST
Contents:
Re: How protect HDisk against Customs when entering Great Britain (Bill Unruh)
Re: Your Opinions on Quantum Cryptography ("Trevor Jackson, III")
Re: Lenstra on key sizes (DJohn37050)
Re: What's gpg? (Jerry Coffin)
Bracking RSA Encryption. Is it possible. ([EMAIL PROTECTED])
Re: PGP Cracked ? (Dennis Ritchie)
Re: Lenstra on key sizes (Bruce Schneier)
Re: Lenstra on key sizes (Tom St Denis)
Re: Q: Removal of bias ([EMAIL PROTECTED])
The story of a small boy --- sealed envelops --- encryption technologies (Markku J.
Saarelainen)
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.tech,alt.privacy,alt.privacy.anon-server
Subject: Re: How protect HDisk against Customs when entering Great Britain
Date: 9 Nov 1999 01:45:29 GMT
In [EMAIL PROTECTED] [EMAIL PROTECTED] (DigitAl56K)
writes:
Even if you were detained without absolute proof of illegal data on
your PC, which would be impossible to obtain you would not have to
decrypt the data and therefore customs would be forced to hold you
indefinately (not very likely I think!) or let you go.
Actually customs has a lot more power than that. They could simply
refuse you entry and force you to fly back to your country of origin.
You could of course try raising a stink once back in your country of
origin, but it would not be terribly effective.
Customs has much more power to make you uncomfortable than you have to
make them uncomfortable.
can't force you to decrypt it.
You also cannot force them to let you into the UK.
You might want to use PGPi though as US export restrictions stop you
taking the normal PGP (which most of the world has anyway) out of the
country.
No. US law prevents you from taking any encryption, no matter where you
got it, out of the US without a license.
--
Date: Mon, 08 Nov 1999 21:13:54 -0500
From: "Trevor Jackson, III" [EMAIL PROTECTED]
Subject: Re: Your Opinions on Quantum Cryptography
John Myre wrote:
Bill Unruh wrote:
In [EMAIL PROTECTED] Jeremy Nysen [EMAIL PROTECTED] writes:
Also, quantum cryptography by itself doesn't prevent a middleman attack
(though it does make it very difficult). Which means it should be
Don;t confuse quantum crypto with quantum computing.
Also quantum crypto is immune to the "middleman" attack.
That is one of its strengths.
possible to set up a 'relay' box in between two communicating parties
that pretends to be the other. You would still need a 'relay' box for
No, that is exactly what quantum crypto prevents. Any such middle man
can be detected.
It is my understanding that quantum crypto makes it impossible
(well - arbitrarily unlikely) to eavesdrop passively, but that an
active man-in-the-middle is still possible: Alice and Bob have no
physical way to know who they are talking to. That is, Eve is
out of luck, but Mallory is still in business.
With normal communication methods, Mallory can replicate each
side exactly, thus behaving as Eve. With quantum crypto, I
think Mallory can no longer do this, as the information exchanged
is only probablistic. Mallory can pretend to be Bob while
talking to Alice, and pretend to be Alice while talking to Bob,
but he cannot ensure that the two connections end up with the
same session key.
Why does he care? If he starts by empulating the correspondents to each other,
what forces him to stop? I.e., why can he not continue maintaining the charade,
keeping both sessions independent?
So in addition to quantum crypto, you still mathematical crypto
to authenticate who you are talking to. (Even if we use the
secure quantum crypto channel to ask about maiden names, proper
authentication will require careful protocol design).
John M.
--
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Lenstra on key sizes
Date: 09 Nov 1999 02:14:32 GMT
The only reason I can see right now for using longer AES key sizes than 128 is
if quantum computers (or something similar) become real.
Don Johnson
--
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: What's gpg?
Date: Mon, 8 Nov 1999 19:32:44 -0700
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] says...
I just picked up the fact that there's a GNU version of PGP out, called
GPG or GNUPG.
I found the web page www.gnupg.org, and it makes claims that no
patented algorithms are used.
Okay.
From this claim I would assume that GPG is not as secure as PGP.
Why would you conclude that? The basics are simple: for the public-
key part, there are basically three major algorithms: Diffie-Hellman,
RSA and Elliptical-Curves. Of these, DH was patented, but the patent
has expired, and
Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #9 Tue, 11 May 99 19:13:04 EDT Contents: A simple challenge for Tomstdenis ([EMAIL PROTECTED]) Re: A simple challenge for Tomstdenis ([EMAIL PROTECTED]) Re: Let me prove my claim. (Paul Koning) TwoDeck (some help please) ([EMAIL PROTECTED]) Re: TwoDeck solution (but it ain't pretty) (Jim Felling) Re: The simplest to understand and as secure as it gets. (Paul Koning) Re: public/private key authentication? (Dylan Thurston) Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen) Re: Pentium3 serial number is based on who you [server/exterior] claimed to be (Roger Carbol) Re: How was this key constructed? (Jim Gillogly) Snuffle (John Kasdan) Re: A simple challenge for Tomstdenis (Jim Felling) Re: AES (John Savard) Re: Pentium3 serial number is based on who you [server/exterior] claimed (Paul Koning) Re: Thought question: why do public ciphers use only simple ops like(Bryan Olson) Re: The simplest to understand and as secure as it gets. (David Hamilton) Re: Time stamping (complete) (David A Molnar) Re: Crypto export limits ruled unconstitutional (wtshaw) Re: How was this key constructed? (Paul Koning) Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO ([EMAIL PROTECTED]) Re: Bricklaying DES (David Wagner) From: [EMAIL PROTECTED] Subject: A simple challenge for Tomstdenis Date: Tue, 11 May 1999 20:32:33 GMT Apply either linear or differential cryptanalysis to this algorithm, oh person who uses these terms so frequently to other people: All quantities are 32-bit, unsigned. + is addition mod 2^32, ^ is XOR It's a 8-round feistel network where f(a,b) is (a+b)^(a*b) The round key for round "i" is: RK_i = (K[0] + i*0x12345678) + (K[1] + i*0x87654321) --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: [EMAIL PROTECTED] Subject: Re: A simple challenge for Tomstdenis Date: Tue, 11 May 1999 20:47:53 GMT person who uses these terms so frequently to other people: All quantities are 32-bit, unsigned. + is addition mod 2^32, ^ is XOR It's a 8-round feistel network where f(a,b) is (a+b)^(a*b) The round key for round "i" is: RK_i = (K[0] + i*0x12345678) + (K[1] + i*0x87654321) Well first that is not a feistel cipher. Second you can completely remove the constant i and it's multiplier. This leaves K[0] + K[1], from which you can poke and prod at. I have never actually done analysis but with a chosen plaintext attack you can most likely find the key. The differential attack would be finding the differences from 'k[0] + k[1]' and the plaintext. So the cipher is for r = 1 to rounds a = (a + b) ^ (a * b) (a,b) = (b,a) But that's not possible!!! That's not a cipher!!! Is that enough for five minutes? Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: Paul Koning [EMAIL PROTECTED] Crossposted-To: alt.privacy Subject: Re: Let me prove my claim. Date: Tue, 11 May 1999 12:24:29 -0400 Anthony Stephen Szopa wrote: Let me prove my claim. At http://www.ciphile.com you can download the entire Help Files from the Original Absolute Privacy - Level3 Version 4.0 encryption software package. Reading Help Files # 1 - Theory, #2 - Processes 1, #3 - Processes 2 should be enough to convince anyone that this encryption software is the simplest, the easiest to understand, and as good as it gets. Thank you. Ok, I looked. I also read the Snake Oil FAQ. So exactly why are you claiming it doesn't apply to what you created? paul -- From: [EMAIL PROTECTED] Subject: TwoDeck (some help please) Date: Tue, 11 May 1999 21:00:01 GMT I have analyzed the algorithm a bit (sieving modes), and I think they can be extended a bit. Maybe even faster then a brute force search. I would like help cleaning up the paper, and the attacks. I am updating the paper at school tommorow to include what I have done so far. Anyone with a little time to spare, maybe even to correct grammar, I would appreciate the help!!! I want to clean it up and make it more visually pleasing, as well as more actual facts and proofs.. Thanks for your time, Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know.
