Cryptography-Digest Digest #829
Cryptography-Digest Digest #829, Volume #11 Sun, 21 May 00 13:13:00 EDT Contents: Re: AES final comment deadline is May 15 (Mark Wooding) Re: QUESTIONS About ALGOS !! (tomstd) Re: Q: Recording on magnetic cards (Mok-Kong Shen) Re: Re: Who has got RSA simple program (sources on C/C++)? (tomstd) Re: Interpretation of Hitachi patent claims ("Lyalc") Re: Q: Recording on magnetic cards (Troed) Re: Encrypting random data (Tim Tyler) Re: Encrypting random data (tomstd) Again about Fast RC5 (tomstd) Re: Probabilistic Encryption (David A Molnar) Re: quantum crypto breakthru? (Tim Tyler) Re: Q: Recording on magnetic cards (Francois Grieu) Re: Is OTP unbreakable? (Paul Schlyter) Access Encryption ("John E. Kuslich") Re: Compare 3DES's. (long) (Was: Mixmasters encrypt how?) ("Trevor L. Jackson, III") Plain simple (?) question (Alain CULOS) Re: Interpretation of Hitachi patent claims ("Trevor L. Jackson, III") Re: More on Pi and randomness ("Trevor L. Jackson, III") Re: Compare 3DES's. (long) (Was: Mixmasters encrypt how?) (David A. Wagner) From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: AES final comment deadline is May 15 Date: 21 May 2000 10:34:11 GMT Scott Contini [EMAIL PROTECTED] wrote: You are assuming single block encryption. RC6 seems to do quite well on many modern 32/64-bit processors if you simulataneous encrypt multiple blocks. You just get a lot more freedom on how to schedule the multiplies, which makes the timings much better than single block encryption. Rijndael, Serpent, and Twofish do not get nearly as much of a benefit from this as RC6 does. In other words, to get reasonable performance out of RC6 you need to start using nonstandard encryption modes. There is a lot to say for having a simple cipher that is easy to analyze, like RC6. For example, consider this: when RC6 was submitted to the AES, it was suggested that 16 rounds could be attacked using linear cryptanalysis, and such an attack was described. Nobody has improved on this result. Yet. Moreover, RC6 bases its security on the data dependent rotation (which is "strengthened" through the f(x) = 2*x^2 + x function) which has been well studied from 6 years of public research on RC5. Don't forget that the first sensible attack against DES's S-boxes -- Biham and Shamir's differential cryptanalysis -- came about fifteen years after the cipher was introduced. I don't think that six years is really long enough for us to say that a particular new component is `strong'. Any clever new attacks directed specifically against data dependent rotations leave RC6 hanging out to dry. When NIST suggested that simplicity of a cipher was important, it was so that the cipher could be readily analyzed and people can get a good feeling for the security the cipher offers. Many of the comments I am reading on this newsgroup just seem to ignore the value of this. I'll grant you that Twofish and MARS are complicated, and this is a legitimate point against them. I think MARS is ugly and kitchen-sink- ish in a way that Twofish isn't, though. But I don't see how you can claim that Rijndael and Serpent are less simple than RC6. Serpent, in particular, is based on very simple concepts: substitution tables (an idea which has been analyzed longer than data-dependent rotations) and a linear transformation for diffusion. -- [mdw] -- Subject: Re: QUESTIONS About ALGOS !! From: tomstd [EMAIL PROTECTED] Date: Sun, 21 May 2000 03:39:02 -0700 In article 8g7lbp$2sa$[EMAIL PROTECTED], "Scott Fluhrer" [EMAIL PROTECTED] wrote: tomstd [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... In article 8g78oq$fm2$[EMAIL PROTECTED], "Scott Fluhrer" [EMAIL PROTECTED] wrote: Jerry Coffin [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... In article 8fu3it$osb$[EMAIL PROTECTED], [EMAIL PROTECTED] says... I'm new in Encryption, and I've to implement an Encryption Algo for an application. But I have to make a choice between efficiency and speed ! Well I'd like to know if the DES / 3DES is a very fast algo ? No. Rather the opposite: DES is fairly slow and 3DES is about one third that speed. Actually, before we make the pronouncements "DES is fairly slow and 3DES is slower", we need to ask the question: how fast does the OP need them to be? His definition of "very fast" may be drasticly different then our definition of "very fast". If 3DES is fast enough for the OP (and none of the rest of us know enough to say), then 3DES may be a fine choice. 3des is not a bad choice, just not a good one for many tasks. It's cumbersome and slow. 3DES is sufficiently fast and sufficiently secure for many tasks. The OP has not posted his def
Cryptography-Digest Digest #829
Cryptography-Digest Digest #829, Volume #10 Mon, 3 Jan 00 12:13:01 EST Contents: Re: meet-in-the-middle attack for triple DES (DJohn37050) Re: Prime series instead (Re: Pi) (John Myre) Re: crypto and it's usage (Keith Monahan) Re: Attacks on a PKI (Shawn Willden) Re: Attacks on a PKI (Shawn Willden) Re: Attacks on a PKI (Shawn Willden) Re: Wagner et Al. (Steve K) Re: stupid question (No Spam) Re: stupid question (No Spam) Re: Bits 1 to 3 (Re: question about primes) ("Tony T. Warnock") Re: Attacks on a PKI (Larry Kilgallen) Re: Wagner et Al. (Tom St Denis) Re: Prime series instead (Re: Pi) ([EMAIL PROTECTED]) Re: crypto and it's usage (Steve K) Re: "Variable size" hash algorithm? ("Peter K. Boucher") Re: Prime series instead (Re: Pi) ("Tony T. Warnock") List of english words ("John Lupton") From: [EMAIL PROTECTED] (DJohn37050) Subject: Re: meet-in-the-middle attack for triple DES Date: 03 Jan 2000 14:24:54 GMT There are unique keys per transaction for PIN protection keys. This idea has been known. A problem with it is the set up time, changing the key all the time means normal performance speed ups are not possible. Don Johnson -- From: John Myre [EMAIL PROTECTED] Subject: Re: Prime series instead (Re: Pi) Date: Mon, 03 Jan 2000 07:33:46 -0700 "John E. Gwyn" wrote: "NFN NMI L." wrote: The summation of the reciprocals of all the primes is infinite. Who knows what happens when you have alternating subtraction and addition? I think it still diverges, but I don't have a proof. Any alternating sum (alternating addition and subtraction) where the terms decrease (to zero) converges. Note that any two consecutive values define boundaries on the sum; since the limit of the separation of these values is zero then the sum is indeed defined. (Picture the sums on the line; note that it goes back and forth, each time moving a shorter distance; the sum converges because in the limit the distance is zero). John M. -- From: Keith Monahan [EMAIL PROTECTED] Subject: Re: crypto and it's usage Date: Mon, 03 Jan 2000 14:58:21 GMT Tom, I use encryption on a daily basis to protect my privacy. With the government invading our privacy frequently, I feel it is important to protect ourselves. Who knows, what is legal today might not be legal tommorow. It used to be legal to listen to cellphones via a scanner -- now it's a big crime. Incidentally, if the cellphone industry had taken steps to protect people's privacy via encryption, they wouldn't have had to lobby Congress so hard to ban the manufacturing of cellphone receiving scanners. This is why I like encryption. Laws don't stop criminals because criminals don't obey laws. I don't want it *possible* to violate my privacy by violating a simple law. Because even putting that person in jail DOES NOT GIVE ME MY PRIVACY BACK. So, instead of protecting privacy via LAWS, our privacy has to be guaranteed by technology. And yes, I know we don't have any provably secure USABLE algorithms for encryption. I feel an argument can be made that says that it is easier to break an unenforcable law than it is to break Blowfish. It all depends on your threat model... I run realtime on-the-fly harddrive encryption under Windows95. Not the most secure platform, but I do things like disabling virtual memory, clearing registry entries(like recent file entries), wiping file slack space, wiping unused drive space, etc. I'm really trying to avoid the side-channel attacks as that is probably more likely than someone breaking 256-bit Blowfish. And plus, I use good passphrases. So, life threatening? No. Important? Yes. I also use PGP occasionally to exchange email between friends when discussing things of a delicate nature. And of course, like the other gentleman mentioned, I use SSL to secure private things like account balances at pitt.edu -- but never my credit cards. Sorry if this got a little OT, Keith Tom St Denis wrote: I was just wondering how many people here actually use crypto. I mean almost anyone here can pull apart ideas and have fun, but does anyone use what's left? I personally use it just for fun, and sometimes to keep things private. Nothing life threatening... Anyone else? Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- Date: Sun, 02 Jan 2000 17:54:56 -0700 From: Shawn Willden [EMAIL PROTECTED] Subject: Re: Attacks on a PKI Mickey McInnis wrote: Do Netscape and IE require that the certificates be specific to the domain name, or does it just require that a certificate be used? They check the domain name. Of course, DNS is not a secure service and can be spoofed easily by someone with appropriate access... Shawn. ---
Cryptography-Digest Digest #829
Cryptography-Digest Digest #829, Volume #9Sun, 4 Jul 99 17:13:03 EDT Contents: Re: Ciphers based on HASH functions ([EMAIL PROTECTED]) Re: RSA Padding ([EMAIL PROTECTED]) Re: Quantum Computers ("rosi") Re: Quantum Computers ("rosi") Re: Standard Hash usage (David P Jablon) Free chapters from Handbook of Applied Cryptography (Alfred John Menezes) more on additive generators ([EMAIL PROTECTED]) Re: Secure link over Inet if ISP is compromized. ("Else") RNG/PRNG paper for reading+editing (Eli) Re: Quantum Computers (David A Molnar) Decrypting files encrypted with Cold Fusion's cfcrypt.exe (Bob) MP3 Security Requirements? (Thierry Moreau) Crypto Books on CD-ROM ([EMAIL PROTECTED]) Re: Can Anyone Help Me Crack A Simple Code? (wtshaw) From: [EMAIL PROTECTED] Subject: Re: Ciphers based on HASH functions Date: Sun, 04 Jul 1999 15:39:38 GMT In article 7lmbh2$h5m$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: There has been some research into creating block ciphers using hash functions, however I think there was some concern as to how secure they are due to the fact that hash functions were designed with different properties in mind. My question is, would a block cipher based on HMAC's be better? A HMAC is designed to withstand around using a key, so wouldn't that make a better S-Box than a regular hash function? BEAR and LION are two modern examples of ciphers using HASH functions. They require that the HASH function be secure, but can become victim to mitm attacks and possibly slide attacks aswell. Mainly HASH functions are designed along the same lines as block ciphers but require collision resitant compression functions. TIGER for example has sboxes like many block ciphers do. Most hashes are UFN type 'ciphers'... These cipher constructions are not popular for several reasons. a) they are slow. It requires performing an entire HASH function for one round (they normally have 3 rounds or so..). b) they are larger (require code for hash). c) the strength is co-dependant on the hash function and cipher construction (meaning too many eggs in one basket). Tom -- PGP key is at: 'http://mypage.goplay.com/tomstdenis/key.pgp'. Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't. -- From: [EMAIL PROTECTED] Subject: Re: RSA Padding Date: Sun, 04 Jul 1999 15:33:37 GMT snip You must pad RSA messages otherwise they will fall victim to frequency analysis. for this same reason the smallest block ciphers are 64 bits. I would read PKCS #1 which is suppose to cover padding RSA messages. Tom Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't. -- From: "rosi" [EMAIL PROTECTED] Subject: Re: Quantum Computers Date: Sun, 4 Jul 1999 11:23:53 -0400 ??? --- (My Signature) Anton Stiglic wrote in message ... In a Quantum World, Quantum Crypto is unconditionaly secure. In fact, Quantum Crypto is already publicaly implemented (Los Alamos and other places). It is much easier to implement than a Quantum Computer (it's not the same thing at all either). See my labs page: http://crypto.cs.mcgill.ca + my directors page: http://www.cs.mcgill.ca/~crepeau Anton -- From: "rosi" [EMAIL PROTECTED] Subject: Re: Quantum Computers Date: Sun, 4 Jul 1999 12:16:27 -0400 Greg Ofiesh wrote in message 7lgg7m$mt1$[EMAIL PROTECTED]... In article [EMAIL PROTECTED], "Douglas A. Gwyn" [EMAIL PROTECTED] wrote: Greg Ofiesh wrote: Let us begin with the following assertion that I think you will all agree with. If a quantum computer exists, then the only form of encryption that cannot be broken by it, or at least has half a chance to survive an attack, is OTP. All other forms of encryption [snip] Don't know on what basis I can agree with your above assertion. I have more verbiage on both (immunity to QC and issues concerning IT). And please don't say I am nuts, or kook, or anything else. "Why on Earth not?" - from "A Fish Called Wanda" [snip] And, finally, I stated not to call me a kook because only losers have no life that they spend it responding in the extreme negative. That is "why not". I think you highly desert it You know, when one particular day, one in which everything that could go wrong did and everything else didn't do otherwise, you suddenly decided to do good, say some service to benefit others, you found yourself Running For Governor. And if you run here, dear Greg, you may forget all your math training, forgetting what a group is, whether it is associative, commutative, etc. etc. You probably still could hallucitate that a group could be quite abusive. You perfectly, in such situations, lose your imperfect aim and