Cryptography-Digest Digest #813
Cryptography-Digest Digest #813, Volume #13 Tue, 6 Mar 01 00:13:01 EST Contents: Re: One-time Pad really unbreakable? (Steven Smolinski) Re: Super strong crypto (David Wagner) From: [EMAIL PROTECTED] (Steven Smolinski) Subject: Re: One-time Pad really unbreakable? Reply-To: Steven Smolinski [EMAIL PROTECTED] Date: Tue, 06 Mar 2001 04:13:23 GMT Douglas A. Gwyn [EMAIL PROTECTED] wrote: Steven Smolinski wrote: If you can break a one-time pad if you get two ciphertexts made with the same key, why can't you divide one ciphertext in half and apply the same analysis? I think you're confusing "the same key" used twice with "two parts of the same key, each used once". I was; thanks (to all) for replies. I had forgotten that the keylength in a one-time pad must be greater than the plaintext length to be secure, and just assumed that it would repeat in a single message. [... snip excellent explanation ...] Try that where instead of KEY you have FIRST_HALF_OF_KEY and SECOND_HALF_OF_KEY and you should see why it doesn't work; we cannot rely on a common KEY to relate the two texts. Yeah, if it's FIRST_HALF and SECOND_HALF, it's just like having two separate plaintexts enciphered with two separate keys; there's no relation. Again, thanks. Steve -- Steven Smolinski = http://www.steven.cx/ -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Super strong crypto Date: 6 Mar 2001 04:23:44 GMT Reply-To: [EMAIL PROTECTED] (David Wagner) Douglas A. Gwyn wrote: For example, exhibit *any* practical C/A attack against the phase 3 design in a normal scenario (known PT and CT, multiple sessions with same initial key). If there isn't one, then the design goals have been met. Of course, one could issue the very same challenge about, say, AES. If lack of known attacks is our criteria, we don't need new systems. So it seems the $64,000 question here is: What is our criteria for success, and how do we gain confidence that the new proposal is any better than existing techniques? In the absence of any _proof_ of security (which we do not at present have), this seems to be the part that has to be justified quite carefully. -- ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: [EMAIL PROTECTED] You can send mail to the entire list by posting to sci.crypt. End of Cryptography-Digest Digest **
Cryptography-Digest Digest #813
Cryptography-Digest Digest #813, Volume #12 Mon, 2 Oct 00 12:13:00 EDT
Contents:
Re: Choice of public exponent in RSA signatures (Bodo Moeller)
Re: Why is TwoFish better than Blowfish? (SCOTT19U.ZIP_GUY)
Re: CRT and RSA 2 (Francois Grieu)
Re: Choice of public exponent in RSA signatures (Francois Grieu)
RE: Ciphers and Unicode ("Manuel Pancorbo")
Re: Choice of public exponent in RSA signatures (Francois Grieu)
Re: Choice of public exponent in RSA signatures ("John A.Malley")
Project: Digital Signing and Encrypting Application (Patrick Reynolds)
Re: CPU's aimed at cryptography (JCA)
Re: AES annoucement due Monday 2nd October (Bruce Schneier)
Re: NIST Statistical Test Suite ("Cristiano")
Re: Adobe Acrobat -- How Secure? (Jonathan Thornburg)
It's Rijndael (David Lesher)
Re: It's Rijndael (Quisquater)
Re: It's Rijndael (Helger Lipmaa)
Re: It's Rijndael (Ed Kubaitis)
Re: It's Rijndael (Quisquater)
Re: It's Rijndael (David Lesher)
RE: Ciphers and Unicode ("Manuel Pancorbo")
Re: It's Rijndael (David Lesher)
Re: It's Rijndael (Jim Gillogly)
From: [EMAIL PROTECTED] (Bodo Moeller)
Subject: Re: Choice of public exponent in RSA signatures
Date: 2 Oct 2000 13:14:19 GMT
Thomas Pornin [EMAIL PROTECTED]:
I'm trying to understand why so many professionals swear by it !
RSA-based PGP used 65537. This is enough to create fashion.
Wrong. PGP 2.x usally uses e = 17, where e is made larger if this
is necessary to make it relatively prime to both p - 1 and q - 1.
Also larger bit lengths can be requested at the command line, but this
additional parameter is not documented.
--
Bodo Möller [EMAIL PROTECTED]
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
--
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Why is TwoFish better than Blowfish?
Date: 2 Oct 2000 13:17:28 GMT
[EMAIL PROTECTED]=NOSPAM (Arturo) wrote in
[EMAIL PROTECTED]:
Nope. Blame the author because he did put the names. I just said
"blame" in an humorous sense. Of course, he might be working for the
NSA, and adopted the name after their suggestions. I could be working
myself for the NSA (just in case I am: please get me a salary raise).
I guess this explains why you never replaced your RLE with a bijective
RLE which would be more efficent. If you work for the NSA one of
your goals matches one of theirs. That is to keep people using
poor compression so that ciphers which use a compression stage
are easy to break.
There are a lot of conflicting requiremesnts. For one make it
secure but make it fast. For my purposes secure is a much more
valuable requirement. The problem is you really can't measure security
becasue what is secure today is insecure tomorrow.
Grantes. But you can´t wait till tomorrow if you need it today.
DES
has awaited replacement for too long. And since nobody can guess the
future, all we can do is test algorithms with the best techniques
available today. Both TripleDES and IDEA are quite robust, so I could
choose IDEA which is faster.
Yeah, you can prove that CAST is 10^10 times stronger that IDEA.
But if
that means that it would take 10^50 years to break it instead of 10^40,
that´s overkill.
I don't think you can prove CAST or IDEA would take more than one year
to crack unless that same "proof" is based on some weak assumption that no
underlying break is in either system. If your proof is based on some
hand waving evidence of one using a blind key search. We could prove
some versions of Engima are still safe. If it was not for the fact
we know they are not.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
--
From: Francois Grieu [EMAIL PROTECTED]
Subject: Re: CRT and RSA 2
Date: Mon, 02 Oct 2000 15:26:40 +0200
Soeren Gammelmark [EMAIL PROTECTED] asked how to derive the formulas
used for secret-key RSA calculation with the CRT :
Have can you deduce:
m1 = c ^ (d mod (p - 1)) mod p and m2 = c ^ (d mod (q - 1)) mod q
from m = c ^ d mod n ?
We can write d = d % (p - 1) + floor(d/(p-1)) * (p-1)
and thus c ^ d = (c ^ (d % (p - 1))) * ((c ^ (p-1)) ^ floor(d/(p-1)))
In the (general) case that
Cryptography-Digest Digest #813
Cryptography-Digest Digest #813, Volume #11 Thu, 18 May 00 13:13:01 EDT
Contents:
Re: AES final comment deadline is May 15 (David A Molnar)
Re: NSA hardware evaluation of AES finalists (Paul Koning)
Re: sci.crypt cipher contest (Paul Koning)
Re: Skipjack implementation in C ("Douglas A. Gwyn")
Re: AES final comment deadline is May 15 (Tom St Denis)
Re: Definition of "Broken" Cipher ("Douglas A. Gwyn")
Re: bamburismus ("Douglas A. Gwyn")
Re: AES final comment deadline is May 15 (Mok-Kong Shen)
Re: Please help to decipher ("Douglas A. Gwyn")
Re: sci.crypt cipher contest (Andru Luvisi)
Re: Is OTP unbreakable? (Mickey McInnis)
Re: AES final comment deadline is May 15 (Mark Wooding)
Re: PADDING problems ("Adam Durana")
From: David A Molnar [EMAIL PROTECTED]
Subject: Re: AES final comment deadline is May 15
Date: 18 May 2000 15:50:24 GMT
Volker Hetzer [EMAIL PROTECTED] wrote:
Does anybody think that twofish is handicapped, because B. has stepped
on a few toes?
- it's a kinda upstart'ish company, at least when compared
to the biggies like IBM or RSAlabs
- B. has blown both of their candidates out of the water and is
(IMHO) at least equal to the others.
NIST is ultimately responsible for the decision, right? Well, maybe the
NIST and the NSA. Do they care about this?
- Counterpane is no university either, yet certainly as competent as any
university department in the field.
Just a tangent : which university departments are strong in block ciphers,
hash functions, and other symmetric primitives? I can remember some names
of researchers off the top of my head, but I can't remember where they
all are...
- B. has had a big part in the explosion of the myth of cryptography as
some kind of secret science reserved for governments and big companies
who got a lot of profit out of the users (former) ignorance.
Again, why will NIST care about this? Maybe the NSA will, but it's my hope
that they'll get on to more important things. Like figuring out how to
tweak AES to add back doors. :-) (that's a joke)
Do you think that the "establishment" is going to resent that and
that it will influence the AES decision?
At this point, I think it might be better to look at who exactly is making
the decision. Then ask if any of the above might apply. My hope is that
the first two points will not apply at all. Why should NIST care, even
_if_ some people at IBM or RSADSI might possibly be put off by the
"upstart"?
I doubt the fact that Counterpane is not a university would carry
much weight, either. Twofish made the cut. It's proved itself over
many other algorithms, some of which were designed by universities.
Why should this start to matter now?
For the last point -- who knows. Maybe he did upset the NSA. For some
strange reason, I have confidence that this will take a back seat to
how strong they believe Twofish to be.
If by "establishment" you mean academic and coporate cryptographers,
then I'm not sure how any possible resentment on their part will
influence the AES decision at this point. At least in theory, it's
supposed to be made by NIST. I don't know anything about
the politics involved with the NIST -- is there some reason to believe
that they would be influenced by what personal feelings exist on the part
of the "establishment" ?
Look - whichever algorithm(s) NIST picks as AES, they have a heck of a lot
of explaining to do. Barring something dramatic like a break of 4 of the 5
candidates, I don't see any way for them to prove, beyond the shadow of
a doubt, that any final choice is "the best." So we can, should, and
no doubt *will* spend lots of time second-guessing the decision.
The thing is, unless we can take this line of questioning farther than
hand-waving about "the establishment", I'm not sure what makes it more
useful than speculating about the magic NSA factoring/DL algorithm. In
fact, it seems less useful, since you can always switch to Twofish if it
isn't picked and you believe it to be more secure than AES.
Then again, I don't know very much about whether or not there is a
connection between "the establishment" and NIST. If there is a good
reason to believe this is a concern, I'm interested.
Thanks,
-David
--
From: Paul Koning [EMAIL PROTECTED]
Subject: Re: NSA hardware evaluation of AES finalists
Date: Thu, 18 May 2000 11:27:01 -0400
Ken Lamquist wrote:
...
It's unfortunate that it appeared on the last day of the public
comment period, since it means that the public comment mechanism
cannot be used to point out any limitations or flaws of the analysis.
Indeed.
Then again, standard government comment procedure (as done,
for example, by the FCC in its rulemaking process) has two
periods, one fo
Cryptography-Digest Digest #813
Cryptography-Digest Digest #813, Volume #10 Thu, 30 Dec 99 18:13:01 EST
Contents:
stupid question ("Buchinger Reinhold")
Re: Secure Delete Not Smart (Johnny Bravo)
Re: File format for CipheSaber-2? (Johnny Bravo)
Re: HD encryption passphrase cracked! (Keith A Monahan)
Re: cryptography website(dutch)! ("Red Shadow")
Re: Attacks on a PKI (Greg)
Re: cryptography website(dutch)! (CLSV)
Re: Secure Delete Not Smart (Jim)
Re: Secure Delete Not Smart (Jim)
Re: Encryption: Do Not Be Complacent (Jim)
Re: SSL And Certificate Verifications (Paul Rubin)
Re: stupid question (NFN NMI L.)
Re: Cryptography in Tom Clancy (NFN NMI L.)
Re: PKZIP compression security (NFN NMI L.)
Re: PKZIP compression security (ChenNelson)
Re: stupid question ("Joseph Ashwood")
Re: Cryptography in Tom Clancy (John Savard)
Re: File format for CipheSaber-2? (lordcow77)
Re: Secure Delete Not Smart (T. Sean)
Re: Secure Delete Not Smart (T. Sean)
Re: Secure Delete Not Smart (T. Sean)
Re: Secure Delete Not Smart (T. Sean)
From: "Buchinger Reinhold" [EMAIL PROTECTED]
Subject: stupid question
Date: Wed, 29 Dec 1999 13:28:48 +0100
Hi !
I have a stupid question. But what is the difference between a key of a
stream cipher and a key of an one-time-pad ???
Thank's !!
Reinhold
--
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: alt.privacy
Subject: Re: Secure Delete Not Smart
Date: Thu, 30 Dec 1999 13:35:40 GMT
On Thu, 30 Dec 1999 10:08:24 -0500, Mark D [EMAIL PROTECTED]
wrote:
OK, so put the CD in an oven for 30 minutes... I'd like to see that
recovered!
Or in a microwave for 5 seconds on high. Fantastic lightshow, very
bad for the media. :)
Best Wishes,
Johnny Bravo
--
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: File format for CipheSaber-2?
Date: Thu, 30 Dec 1999 13:44:18 GMT
On 30 Dec 1999 08:50:37 -, Paul Crowley
[EMAIL PROTECTED] wrote:
Here's what I proposed for CipherSaber-3:
(1) Fix the number of repeats to a power of 2 = 256
Do you realize that this makes message encryption nearly impossible?
2.9e80 swapping operations have to be performed before you can encrypt
one message. And you can't store this value and use it next time,
because the IV is different. Then the recipient has to perform 2.9e80
swapping operations just to check the first key. And if that doesn't
work 2.9e80 more operations for the second, then 5.8e160 for the third
key.
Johnny Bravo
--
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: HD encryption passphrase cracked!
Date: 30 Dec 1999 18:57:22 GMT
Guy,
The funny thing is I used that password for literally years on a somewhat
regular basis. I had no problems remembering it in the past but I went
on a trip last June and after spending a couple weeks overseas, and a
couple Guiness's in Ireland -- I came back dumbfounded to remember the
entire thing. I did recall a very large portion of it, but forgot placement
(and order) of symbols, and I thought I was missing a word. What really
happened was I typed it incorrectly once, and then I tried a couple of
combinations, and before you know it I was forgetting it because all the
combinations confused me!
For the longest time I was typing the password by memory of the keys --
I'm a fairly proficient typist, and I type with thoughts rather than
characters -- with words instead of letters that comprise the word. So,
to make a long story short, my hands remembered day after day after day
the passphrase, but my brain didnt.
Keith
P.S. A alot of people say, "That would never happen to me"
Guy Macon ([EMAIL PROTECTED]) wrote:
: In article 84dq9o$a5g$[EMAIL PROTECTED], [EMAIL PROTECTED] (Keith A
:Monahan) wrote:
:
: Hey,
:
: NFN NMI L. ([EMAIL PROTECTED]) wrote:
: : "Secure Deletion of Magnetic Media", Peter Gutmann. Good reading. I have the
: : URL somewhere.
:
: It's http://www.uncwil.edu/Ed/INSTRUCT/burt/edn416/secure_del.html here.
:
: : By the way, now that it doesn't matter, what WAS the passphrase? :-D
:
: I did contemplate posting it as most people would probably get a kick
: out of it and would understand why it took so long. However, if someone
: managed to get ahold of the ciphertext say awhile back, they could now
: use the key. Sorry! :)
: A 44 word passphrase with 7 punctuation characters? Don't you think that
: you went just a bit overboard? Just using "I did contemplate posting it
: as most people would probably get a kick out of it" would seem to be
: secure enough. No wonder you found it hard to remember!
--
From: "Red Shadow" [EMAIL PROTECTED]
Subject: Re: cryptography website(dutch)!
Date: Thu, 30 Dec 1999 20:03:02 +0100
ya indeed that's right
John Savard [
