Cryptography-Digest Digest #786
Cryptography-Digest Digest #786, Volume #13 Sat, 3 Mar 01 06:13:01 EST
Contents:
Completly wiping HD: forget it, it can't be done. (Paul Rubin)
Re: beyond "group signatures": how to prove sibling relationships? (Benjamin
Goldberg)
Re: Fractal encryption? ("John A. Malley")
Re: Completly wiping HD (Guy Macon)
Re: HPRNG ("Matt Timmermans")
Re: = FBI easily cracks encryption ...? (Tony L. Svanstrom)
Re: = FBI easily cracks encryption ...? ("kroesjnov")
Re: = FBI easily cracks encryption ...? ("kroesjnov")
Re: = FBI easily cracks encryption ...? ("kroesjnov")
Cryptanalysis of GOST? ("Rebus Mauser")
Re: = FBI easily cracks encryption ...? ("Michael Brown")
From: Paul Rubin [EMAIL PROTECTED]
Subject: Completly wiping HD: forget it, it can't be done.
Date: 02 Mar 2001 22:13:37 -0800
David Griffith [EMAIL PROTECTED] writes:
I wish to completly wipe a 2gig harddisk. There is now no data i want to
keep, however neither do i want anything to be recoverable.
If you really want to totally trash the data on your disk, you must
forget all those software things you were asking about. The only
thing you can really do is take the drive apart, and sand the oxide
off the platters with a grinding wheel. Then heat the metal discs to
above the curie point for several minutes, to get rid of any remaining
magnetization. Or better yet, melt them. Or slag the whole drive in
a blast furnace.
There is absolutely no way that software can 100% reliably totally
erase a disk. You have no idea what the capacity of the disk really
is. When you say 2 gig, it means 2 gig are available for your files.
But the real capacity might be, say 2.1 gig, because there are
reserved areas for flushing the internal drive cache on powerdown, for
forwarding bad sectors to as the firmware detects them, and whatever
else. All this happens completely behind the scenes and you have no
way to know whether any of your data has ever been written to those
areas. The areas are simply not externally visible.
You simply cannot be sure you have totally destroyed the data, except
by physically destroying the drive.
--
From: Benjamin Goldberg [EMAIL PROTECTED]
Subject: Re: beyond "group signatures": how to prove sibling relationships?
Date: Sat, 03 Mar 2001 06:37:06 GMT
I'm not sure if this is quite what you want, but what about ElGamal type
PK systems? Either ECC, or DH.
ECC/ElGamal encryption works as follows:
Common to both parts:
some curve with many points on it. The more, the merrier :)
The private key
a = a random integer
The public key:
P = a random point
Q = aP
Encrypt:
r = a random integer
ct = (rP,rQ + pt)
Decrypt:
pt = ct[1] - a*ct[0]
Call a, T, and call (Pi,Qi), (Pj,Qj), Ci and Cj.
As many public keys as desired can be created from one private key.
They could be considered siblings.
AFAIKS, (1) and (2) are fulfilled.
(3) It is possible to prove that T is the parent of Ci, simply by
encrypting a random nonce with Ci, and decrypting with T, and sending
the nonce back to the holder of the Ci.
(4) To learn that Ci and Cj are siblings, with the help of T:
r0 = a random number
r1 = a random point
ct = (r0(Pi+Pj), r0(Qi+Qj)+r1)
Ask T to decrypt this.
T sends back a plaintext, which has the value r1 iff Ci and Cj are
siblings.
I think that (4b) is also fulfilled, but I'm not certain what is mean by
anonymously, in (4a).
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
--
From: "John A. Malley" [EMAIL PROTECTED]
Subject: Re: Fractal encryption?
Date: Fri, 02 Mar 2001 22:44:21 -0800
David A Molnar wrote:
[snip]
Besides eprint.iacr.org, what other preprint archives/sites are there worth
looking at in cryptography?
I only know of and monitor (on an at-least weekly basis) two preprint
services - the IACR and the LANL sites.
The LANL site covers number theory, group theory, physics and cryptology
preprints. There's a computer science specific subject index at
http://xxx.lanl.gov/archive/cs
and a mathematics specific subject index at
http://xxx.lanl.gov/archive/math
and there's the already cited IACR cryptology preprint site at
http://eprint.iacr.org
Does anyone know any more crypto preprint sites? Google search didn't
reveal any more to me.
John A. Malley
[EMAIL PROTECTED]
--
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Completly wiping HD
Date: 03 Mar 2001 08:53:47 GMT
Albert P. Belle Isle wrote:
Good info! thanks!
I use a floppy disk and a fireplace to wipe my info.
Let them try to recover *THOSE* bits!
Forensic disk data recovery attacks attempt to read "deleted" (or
inadequately overwritten) magnetically stored data on your
Cryptography-Digest Digest #786
Cryptography-Digest Digest #786, Volume #12 Wed, 27 Sep 00 20:13:01 EDT
Contents:
Re: RSA and Chinese Reminder Theorem (Bryan Olson)
Re: A Note on news groups. (ordosclan)
Re: Chaos theory (zapzing)
Re: Cipher Illiteracy (Ichinin)
I like to receive a listing of excellent pages with links to specific algorithms in
EEC and chaos theories relevant to crypto (Markku J. Saarelainen)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Chaos theory (Tim Tyler)
Re: Chaos theory (Tim Tyler)
Re: PRNG improvment?? (Tim Tyler)
Re: A Note on news groups. (Rex Stewart)
Re: A New (?) Use for Chi (David Wagner)
Re: A New (?) Use for Chi (John Savard)
Re: Tying Up Loose Ends - Correction (John Savard)
Re: Cipher Illiteracy ([EMAIL PROTECTED])
Re: Tying Up Loose Ends - Correction (Bryan Olson)
Re: RSA and Chinese Reminder Theorem (Bryan Olson)
Re: IBM analysis secret. ("Brian Gladman")
Re: PRNG improvment?? (Eric Lee Green)
From: Bryan Olson [EMAIL PROTECTED]
Subject: Re: RSA and Chinese Reminder Theorem
Date: Wed, 27 Sep 2000 20:04:58 GMT
Tom St Denis [EMAIL PROTECTED] wrote:
Oliver Moeller [EMAIL PROTECTED] wrote:
(3) Now compute with CR the number c' (mod n), which is uniquely
encoded
by xx and yy.
If I get that right ... c' = xx*yy mod pq?
It's a little more complicate. Let p_inv be the mod-q
inverse of p. To review the notation,
n is the modulus, p*q
m is the message and in the range 0..n-1
xx is m mod p
yy is m mod q
p_inv is the mod-q inverse of p
Here's how to reconstruct m using Garner's algorithm:
m = (((yy - xx) * p_inv) mod q) * p + xx
Note that (yy - xx) can be negative, and some math
packages will return a negative value for (z mod m) when
z is negative. So use the equivalent:
m = (((q + yy - xx) * p_inv) mod q) * p + xx
It's worth doing the exercise of showing that the resulting
m must be congruent to xx mod p, congruent to yy mod q, and
in the range 0..n-1.
Garner's algorithm generalizes to more than two primes.
See HAC Chapter 14, Algorithm 14.71, available on-line
at:
http://www.cacr.math.uwaterloo.ca/hac/
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED] (ordosclan)
Subject: Re: A Note on news groups.
Date: Wed, 27 Sep 2000 00:26:09 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 23 Sep 2000 22:10:12 -0400, MIchael Erskine
[EMAIL PROTECTED] wrote:
Things are not going smoothly on any news servers anywhere these days.
Same things are showing everywhere.
Major players everywhere are having problems. Perhaps six or eight
weeks
ago on a Saturday morning AOL reported they had been hacked on CNN.
Yeah its pretty pathetic. You know, I'm starting to think this whole
I-net is going south real fast. Ever since dejanews went Deja, then
took the archives offline. Probably forever I just.. dont..
know.
The report played only thru the morning watch. It said that the AOL
spokes person had stated AOL had been hacked thru some mail script
or something. We weren't to worry though because they only got to about
thirty employees accounts AND THE CREDIT CARD NUMBERS.
Yep nothing to worry about. They stopped reporting it at about noon.
-m-
Bah. Liars... All these companys are about to crash. I'm just
sitting back waiting to see what this Visa/Mastercard anti-trust suit
turns up.
Somethings up The net was fun when it was "innocent"
Turiyan
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$5 to join. $5 for every person you refer.
Fraudproof electronic payment system. Send money to anyone with e-mail.
Business accounts available.
https://secure.paypal.com/refer/pal=biu.gung%40writeme.com
--
From: zapzing [EMAIL PROTECTED]
Subject: Re: Chaos theory
Date: Wed, 27 Sep 2000 20:27:11 GMT
In article [EMAIL PROTECTED],
"Douglas A. Gwyn" [EMAIL PROTECTED] wrote:
Soeren Gammelmark wrote:
I was woundering if anyone ever thought about using chaos theory in
order to make cryptographic algorithms.
Yes, this comes up every so often, and it ought to be part
of the sci.crypt FAQ. The simple response is that chaotic
behavior is far from random, so it is not a natural fit.
To the contrary, the behavior of a chaotic system
should look quite random as long as you hash it
down enough. And there would be *No* repetition
(at least not given our present understanding
of most physical chaotic sytems) Any application
using a digital PRNG will repeat eventually, but
a sufficiently hashed chaotic RNG would not have
any cycles.
--
Void where prohibited by law.
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Ichinin [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Cipher Illiteracy
Date: Wed, 27 Se
Cryptography-Digest Digest #786
Cryptography-Digest Digest #786, Volume #11 Tue, 16 May 00 04:13:01 EDT
Contents:
About using Crypto++ Library ("Oceanic Lin")
Re: MASK offers tiered security for CipherText ... ("C. Prichard")
Re: Unbreakable encryption. (Boris Kazak)
Re: Fradulent "Cyberscrub" statements regarding Evidence Eliminator Software ("Hiram
Yaeger")
Re: Actually, my experience and then postings since the fall of 1999 provide an
excellent behavior study - the Game of General ... ("Joseph Ashwood")
Re: Definition of "Broken" Cipher ("Joseph Ashwood")
Re: (May 11, 2000) Cipher Contest Update ("Joseph Ashwood")
Re: (May 11, 2000) Cipher Contest Update ("Joseph Ashwood")
Re: (May 11, 2000) Cipher Contest Update (Scott Contini)
Re: MASK offers NEW tier of security for CipherText ... ("C. Prichard")
Re: Definition of "Broken" Cipher ("Adam Durana")
Re: Destructive crypting (Runu Knips)
Re: (May 11, 2000) Cipher Contest Update (Runu Knips)
Re: What is a good Encryption program?? (Runu Knips)
Re: Yet another sci.crypt cipher (Runu Knips)
Re: Unbreakable encryption. ("C. Prichard")
From: "Oceanic Lin" [EMAIL PROTECTED]
Subject: About using Crypto++ Library
Date: Tue, 16 May 2000 11:21:00 +0800
I am using the crypto++ library with BCB5 on Windows2000.
I need to generate pseudo random number by BBS generator,
but now I don't how to use it generating,
could anyone used show me an example about using BlumBlumShub?
Thanks.
--
From: "C. Prichard" [EMAIL PROTECTED]
Subject: Re: MASK offers tiered security for CipherText ...
Date: Tue, 16 May 2000 04:05:32 GMT
# CipherText::MASK.pm;
#
# Charles Prichard 00-05-15
#
# Builds a 1024 byte mask for CipherText.
# Example shows possible use with mask key and encipher method.
#
# EXAMPLE:
# ENCRYPTION
# $mask_key =3D '12345678';
# use CipherText::MASK;
# use CipherText::CipherTextII;
# $CTXT =3D new CipherText::MASK();
# $params =3D "MODE=3DLEVEL II;KEY=3D".$mask_key;
# $CTXT2 =3D new CipherText::CipherTextII( $params );
# $mask =3D $CTXT-build_mask(); #this will just be get_mask returning a =
string.
# $mask =3D $CTXT2-encipher($mask);
=20
# (1024 byte MASK is ready)
# $params =3D "MODE=3DLEVEL II;KEY=3D".$mask;
# $CTXT2 =3D new CipherText::CipherTextII( $params );
# $MSG =3D $CTXT2-encipher($MSG);
# $MSG has now been encrypted with base-key-altered 1024 byte MASK.
# MASKED output now has greater diversity than normal CipherText.
# DECRYPTION is identical except that 'decipher' is used rather than =
'encipher.'
package CipherText::MASK;
$CipherText_MASKPackage =3D "CipherText::MASK";
$CipherText_MASKPackage::Version =3D 000515;
$::MASK =3D $CipherText_MASKPackage;
# Reserve Filter in the main namespace
*MASK::=3D\CipherText::MASK;
#
# Sub new #
#
sub new(){
=20
my $self =3D shift;
=20
$self =3D bless {};
$self;
=20
}
#
# Sub build_mask #
#
sub build_mask(){
=20
my $self =3D shift;
=20
my $self{'MASK'} =3D "";
my $key;
=20
for(my $x=3D0; $x 1024; $x++){
=20
$key =3D int(rand(96));
=20
$self{'MASK'} .=3D chr(ord($key + 0x1f));
=20
}
return $self{'MASK'};
}
Whether this is legal or not remains to be seen.
Charles Prichard
www.greentv.com
--
From: Boris Kazak [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Unbreakable encryption.
Date: Tue, 16 May 2000 04:25:55 GMT
[EMAIL PROTECTED] wrote:
I think I will have to explain more for you to understand.
There are some basic things that you are either not
familiar with, or I have to be more detailed in my
explaination.
In math there are problem domains called NP and NP Hard.
I think most people are used to everything being linear.
Like this...
Sent via Deja.com http://www.deja.com/
Before you buy.
==
Dear aspiring cryptographer!
Will you please stop this verbal diarrhea and give people
some information about your algorithm.
1. If your algorithm is _intractable_ and defies any
program description, how do you implement it?
2. More important, in absense of firm orderly rules,
how is the recepient supposed to decrypt? Dynamically,
based on his own intuition and high fantasy? Ho-Ho...
3. If a program and rules exist, publish them for
us to look at, then we will express our opinions.
Best wishes BNK
--
From: "Hiram Yaeger" no@email
Subje
Cryptography-Digest Digest #786
Cryptography-Digest Digest #786, Volume #10 Thu, 23 Dec 99 12:13:01 EST
Contents:
Re: "Variable size" hash algorithm? (Gregory G Rose)
Classic Cryptanalysis Tools Needed ("Leslie Wagner")
Re: QPK (Mok-Kong Shen)
Re: Schoof's algorithm ("Michael Scott")
Re: More idiot "security problems" (SCOTT19U.ZIP_GUY)
Forged PGP Key ([EMAIL PROTECTED])
Re: Classic Cryptanalysis Tools Needed (Boaz Lopez)
Re: Classic Cryptanalysis Tools Needed (Tom St Denis)
Re: Classic Cryptanalysis Tools Needed (JPeschel)
Re: Of one time pads, plaintext attacks, and fantasy (Dave Hazelwood)
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: Implementing ElGamal (Anton Stiglic)
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: Forged PGP Key (Johnny Bravo)
Re: Classic Cryptanalysis Tools Needed (John Savard)
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: More idiot "security problems" ("Trevor Jackson, III")
Re: Of one time pads, plaintext attacks, and fantasy (Scott Fluhrer)
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: "Variable size" hash algorithm?
Date: 22 Dec 1999 19:59:18 -0800
In article [EMAIL PROTECTED],
Dan Day [EMAIL PROTECTED] wrote:
I'm looking for a hash algorithm that can easily be
"set" to produce hash values of practically any size.
For example, given M bits of input, I'd like to have
a "general" hash algorithm that can be used to
produce any desired number of bits of output (or at
least up to M bits of output).
Is there such an animal? Or do most cryptographically
useful hash algorithms generally produce a fixed-size output,
without an option to specify the desired output hash size?
I believe "HAVAL" is your answer. It's a variable
length hash algorithm from well-respected authors
(Pieprzyk, Seberry, ...). Published in one of the
Springer-Verlag journals some years ago.
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
QUALCOMM AustraliaVOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
--
From: "Leslie Wagner" [EMAIL PROTECTED]
Subject: Classic Cryptanalysis Tools Needed
Date: Wed, 22 Dec 1999 23:37:57 -0500
Does anyone have any crib dragging and shotgun hill climbing routines or
programs thay can share?
Thanks you,
Les Wagner
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: QPK
Date: Thu, 23 Dec 1999 11:03:29 +0100
Ian Goldberg wrote:
Medical Electronics Lab [EMAIL PROTECTED] wrote:
Mok-Kong Shen wrote:
But I do like to know what is your definition of 'probabilistic
encryption'. Do you mean a process where at some step a decision
is made depending on the output of a (deterministic) pseudo-random
generator or else on a truly random event which even the legitimate
receiver of the encrypted message can't know/predict? The first
case would only be an application of PRNG (I used it in one of my
schemes), while in the second case the receiver has no easier job
than the analyst, or do I miss something?
You encrypt with something that does not have a unique inverse.
If you know the key, there may be 4 or 8 "decryptions". By checking
all of them, you can figure out which is the correct one by some
other item in the data. The recipient does not know which one
is right a priori, they have to check them all.
In this case, you add 2 or 3 bits to the the analyst's task over
finding the key. For the receiver, checking 8 possible decryptions
is trivial.
Hmm. I don't think that's the _usual_ definition of "probabilistic
encryption". What you describe is more like the differential workfactor
stuff used in, for example, the export version of Lotus Notes. The
sniffer needs to try 2^64 keys to break the message, but the "intended"
recipient (the NSA) is told 24 of them, so they only need to try 2^40
keys (easy!). :-)
What I usually call "probabilistic encryption" is where the space C of
ciphertexts is partitioned into a number of subsets, each corresponding
to an element of the space P of plaintexts. This partitioning and
corresponding is key-dependent, of course. The output of an encryption
of a given plaintext is a *random* element of the subset of C which
corresponds to that plaintext. So _encryption_ of a message can take on
a large number of values. In contrast, _decryption_ is unique; given
any element of C, it is in exactly one of the partitions, which
corresponds to exactly one element of P.
This notion is most commonly used in publi
Cryptography-Digest Digest #786
Cryptography-Digest Digest #786, Volume #9 Sun, 27 Jun 99 12:13:03 EDT Contents: Re: A few questions on RSA (S.T.L.) Re: On an old topic of internet publication of strong crypto (Bill Unruh) Re: On an old topic of internet publication of strong crypto (JPeschel) Re: A few questions on RSA (David A Molnar) Re: determining number of attempts required (JPeschel) Re: DES-NULL attack (Thomas Pornin) Re: Moores Law (a bit off topic) (Thomas Pornin) Re: DES-NULL attack (Rob Warnock) Re: Moore's Trend ([EMAIL PROTECTED]) Re: Converting arbitrary bit sequences into plain English texts ([EMAIL PROTECTED]) Re: Moore's Trend (fungus) Des keys ([EMAIL PROTECTED]) Re: Tough crypt question: how to break ATT's monopoly??? (fungus) Re: Tough crypt question: how to break ATT's monopoly??? (fungus) Re: Kryptos article (Lincoln Yeoh) Re: Des keys (fungus) Re: Des keys (Thomas Pornin) Re: Kryptos article (Lincoln Yeoh) Re: Tough crypt question: how to break ATT's monopoly??? (Dave Hazelwood) Re: A few questions on RSA (DJohn37050) New version of free disk encryption product for NT (with Scramdisk support) ([EMAIL PROTECTED]) --- sci.crypt charter: read before you post (weekly notice) (D. J. Bernstein) From: [EMAIL PROTECTED] (S.T.L.) Subject: Re: A few questions on RSA Date: 27 Jun 1999 06:34:33 GMT There are attacks for small public keys, but there small = "e = 3". Really? How do they work? -*---*--- S.T.L. === [EMAIL PROTECTED] === BLOCK RELEASED!2^3021377 - 1 is PRIME! Quotations: http://quote.cjb.net Main website: http://137.tsx.orgMOO! "Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8 E-mail block is gone. It will return if I'm bombed again. I don't care, it's an easy fix. Address is correct as is. The courtesy of giving correct E-mail addresses makes up for having to delete junk which gets through anyway. Join the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my .sig is shorter and contains 3379 bits of entropy up to the next line's end: -*---*--- Card-holding member of the Dark Legion of Cantorians, the Great SRian Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics Avid watcher of "World's Most Terrifying Causality Violations", "World's Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape" Patiently awaiting the launch of Gravity Probe B and the discovery of M39 Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems. -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: On an old topic of internet publication of strong crypto Date: 27 Jun 1999 06:33:04 GMT In [EMAIL PROTECTED] [EMAIL PROTECTED] (JPeschel) writes: That's not what he said. A scientific paper is not subject to export restriction. This is true if it is on paper. However if it is posted on the net, and it contains crypto source code then it is export restricted. This is precisely the heart of the Bernstein case. -- From: [EMAIL PROTECTED] (JPeschel) Subject: Re: On an old topic of internet publication of strong crypto Date: 27 Jun 1999 06:54:08 GMT [EMAIL PROTECTED] (Bill Unruh) writes: That's not what he said. A scientific paper is not subject to export restriction. This is true if it is on paper. However if it is posted on the net, and it contains crypto source code then it is export restricted. This is precisely the heart of the Bernstein case. Yeah, Bill, you're right, the paper cannot contain source code and be posted on the net. I thought I made the distinction between source code and scientific paper clear. I guess not. It seemed obvious to me that a scientific paper, in electronic form, that contained source would be export restricted. Joe __ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __ -- From: David A Molnar [EMAIL PROTECTED] Subject: Re: A few questions on RSA Date: 27 Jun 1999 07:22:03 GMT S.T.L. [EMAIL PROTECTED] wrote: There are attacks for small public keys, but there small = "e = 3". Really? How do they work? Very vaguely : by using several related ciphertexts to develop a system of simultaneous equations, then finding equivalent equations which can be solved over the integers with the same solutions. Since it is easy to solve equations like x^y = c over the integers, this breaks the system and recovers the message in question. Alternative vague formulation : construct a lattice from a system of simultaneous equations based on some ciphertexts. Show that the vectors in this lattice are unique within a ball of exponential radius. i Fix it so the shortest
