Cryptography-Digest Digest #344, Volume #9 Mon, 5 Apr 99 21:13:03 EDT
Contents:
Re: Live from the Second AES Conference (Medical Electronics Lab)
Re: True Randomness & The Law Of Large Numbers (Dave Knapp)
DES function for 8 bits µC ("Michel ADAM")
PGPdisk or ScramDisk? ("Michael")
Re: Encrypting Fields in Microsoft Access Database ([EMAIL PROTECTED])
Re: True Randomness & The Law Of Large Numbers ("Dorina M. Lanza")
Encryption Algorithm (Allen Boris)
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: A simple hash function. (Boris Kazak)
Re: My Book "The Unknowable" ("karl malbrain")
Re: My Book "The Unknowable" (karl malbrain)
----------------------------------------------------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Live from the Second AES Conference
Date: Mon, 05 Apr 1999 12:13:24 -0500
Craig Clapp wrote:
> Of the two types of balancing Joan discussed - uniform Hamming weight
> in software, and redundant logic-term generation in hardware, only the
> _hardware_ version can be applied to ADD (since his hardware method
> claimed to be able to balance _any_ two-input logic gate, from which
> of course an adder _can_ be built). I am suspicious of whether an adder
> so built could actually adequately maintain the balance of the individual
> gates since it is not clear how to provide uniform loading on all
> balanced-gate outputs when only a small subset of them are used by the
> adder's carry chain. In any case, I think the subsequent paper at the AES
> conference (recovering Twofish whitening subkeys using DPA and 50
> samples) raised serious doubts about the viability of the first-order
> balancing techniques suggested by Joan, so the issue is probably moot.
> This latter talk showed that effects on individual bits of the word could
> be distinguished from one another due to differences in signal trace
> lengths for the different bits.
What about doubling the length of every operation and using the
compliment of each half? That gives you uniform hamming weight
on every clock cycle. I would think that would force all operations
to use the same amount of power at every step and eliminate DPA
as a useful attack. Doesn't stop DFA, but you could use error
correction to help with that.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Dave Knapp <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Mon, 05 Apr 1999 18:16:05 GMT
"R. Knauer" wrote:
>
> On Sun, 04 Apr 1999 20:59:50 GMT, Dave Knapp <[EMAIL PROTECTED]> wrote:
>
> >Incredible! You not only don't understand statistics, but you don't
> >understand decision theory even better!
>
> At least I know what correlation means.
Unfortunately, you still don't.
If this is the way you treat people who attempt to educate you, it is
hardly surprising that you find so few people who are willing to do so.
-- Dave
------------------------------
From: "Michel ADAM" <[EMAIL PROTECTED]>
Subject: DES function for 8 bits µC
Date: Mon, 5 Apr 1999 20:40:00 +0200
I'm looking for the source code of the DES function, for a 8 bits
microcontroller.
Please could you help me ?
Thanks a lot.
[EMAIL PROTECTED]
------------------------------
From: "Michael" <[EMAIL PROTECTED]>
Subject: PGPdisk or ScramDisk?
Date: Mon, 5 Apr 1999 17:30:24 +0200
Which of these programms is better?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Encrypting Fields in Microsoft Access Database
Date: 5 Apr 1999 21:34:12 GMT
>wtshaw wrote in message ...
>>In article <7e3kms$svl$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>>
>>> If you want to do encryption, you will need to use C. VB lacks powerful
>>> bit-bashing operators (AFAIK it doesn't have bit shifting) and forces
>>> you to use signed operators.
>>>
>>BASIC has very powerful string functions. Rotations are no problem either,
>>merely concatenate a string with itself and use MID$ to select the
>>starting point and original length in the doubled string. This works
>>well, use it all the time.
>
>Am I missing something?
>Bit ops and string ops are not the same thing at all.
>
Unless you feel like wasting 8 bits (or more? does VB force unicode?) to
express 1 bit ... '111011' ... excuse me while I go puke ...
------------------------------
Date: Mon, 05 Apr 1999 16:43:13 -0400
From: "Dorina M. Lanza" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
R. Knauer wrote:
>
> On Mon, 05 Apr 1999 07:07:58 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
>
> >> Therefore, it a RNG fails those statistical tests, it is reasonably
> >> certain that it is not random, and if it does not fail those tests, it
> >> is reasonably certain that it is random.
>
> >The null hypothesis and alternative hypothesis do *not* play
> >symmetric roles in the usual statistical tests, so it doesn't
> >work like that.
>
> And therein lies the problem.
>
> I claim that there is an absolute standard against which to compare
> random number generation, namely a quantum computer programmed to
> calculate numbers that are truly random. (Cf. Williams & Clearwater,
> op. cit.). That standard TRNG is 100% certain to perform correctly.
>
> Therefore anything which does not perform like that standard TRNG is
> not truly random. There is no fuzzy set measure here, no excluded
> middle called "Maybe A." A process is either truly random or it is not
> truly random, and anything which is not 100% truly random is Not Truly
> Random.
Ah, so. It's basically a religious issue?
>
> If it is not truly random, then it can be "pretty random", "partly
> random" or "lousy random" for purposes of crypto. "Pretty random"
> might qualify for a keystream generator, maybe not. But that is not
> the issue here - I am not talking about a *practical* TRNG, I am
> talking about an *ideal* TRNG, like a quantum computer.
>
> Even an expert mathematician such as Triola will not go along with
> such nonsense as Maybe Random. He states unequivocally that there are
> NO parametric statistical tests for true randomness.
Everyone here agrees wih that.
The issue is really whether there are tests for order. And that is
trivially true.
Most of your
> beloved standard statistical tests are parametric. The binomial
> distribution is certainly parametric and so is Chi Square and all the
> rest of them that are based on such parameters as the mean and the
> variance, etc.
>
> Yet Triola himself, the very author you said I had to read in order to
> get to where you are in your thinking, states in plain English that
> such parametric tests are useless to determine true randomness.
Irrelevant. Therer are tests for non-randomness, and that;s the kind of
test people are encouraging you to use on the output of an RNG. Not
tests for randomness; tests for non-randomness.
He
> even puts it in a Table for the English-comprehension-impaired.
>
> He does attempt to pawn off the Runs Test as an example of a
> non-parametric test, but it comes off very weakly. He then quickly
> sweeps the entire matter of true randomness under the rug and
> high-tails it for the closing chapter.
>
> Your beloved statistcal tests are just snake oil. All they do is snook
> you into believing that a process is Maybe A - like being Maybe
> Pregnant or pregnant with a 95% confidence level. What complete and
> utter nonsense. I find it difficult to believe that presumably
> intelligent people would fall for that bullcrap so readily.
>
> Maybe Huxley was right - most people do not know how to think
> critically.
Q. E. D.
>
> Bob Knauer
>
> "People have criticized me because my security detail is larger
> than the president's. But you must ask yourself: Are there more
> people who want to kill me than who want to kill the president?
> I can assure you there are."
> - Marion Barry, Mayor of Washington DC
------------------------------
From: Allen Boris <[EMAIL PROTECTED]>
Subject: Encryption Algorithm
Date: 5 Apr 1999 23:40:51 -0000
This algorithm consists of a three part private key to decode
n variables: n n-variable linear equations,n/2 sets of relatively prime
numbers (p(n),q(n)) and a random sequence of equation additions,
subtractions, and multiplications.
In general, n equations are needed to solve for n unknowns.However by
uniquely factoring a number into m factors, only n/m equations would be
required.Without factoring,it would be impossible to uniquely solve for the
variables. Let m=the number of factors=2.Let c and b be the two numbers to
be sent. c and b could be sent as a single number x where x=c*b.But
there would be no way of uniquely determining c and b given x.However c and
b could be sent as c*(q*b+p) where q and p are any two numbers subject to
the following three constraint:
(1).q>c for all possible values of c
(2). p and q are relatively prime
(3).c,p,q>0.
To show that the factoring is unique, let x = c*(qb+p)=cbq+cp.Assume that
there exists c',b' such that c'<q,c'>0,and x = c'*(qb'+p)= c'b'q+c'p.Then
cbq+cp=c'b'q+c'p or cbq-c'b'q=c'p-cp or
(4).q(cb-c'b')=p(c'-c).
There are two possibilities for (4) to be true:
(5).cb-c'b'=0 which implies p(c-c')=0 or c-c'=0 ( since p>0) or c'=c
or
(6)Since q divides the left side of eq.4, q divides the right side
or q divides p(c'-c). Since p and q are relatively prime,q divides p(c'-c)
implies q divides c'-c. q divides (c'-c) means that there exists an n such
that c'-c=nq or c'=c+nq.However from constraint (1),c'<q and c<q.Therefore
c'=c+nq<q implies n=0, c'=c and c (and consequently b) is unique.
To derive c given x
Since x=cbq+cp, x mod q = cp mod q or x mod q = cp-nq for some n or
cp = x mod q +nq. Let n=0,1,2...<q until x mod q+nq is divisible by p
(if we restricted c such that cp<q for all possible c ,then x mod q = cp or
c=(x mod q)/p).
Public Key and Private Key
The n/2 original,factorable are added and/or subtracted and/or multiplied
to form n/2 unfactorable equations The n/2 unfactorable equations are used
as the public key.Our private key consists of the unknown sequence of
additions,subtractions, and multiplications needed to transform the new
equations back to the n/2 original equations, the sets of (p(n),q(n))'s
needed to derive the original n linear equations, and the n linear equations
to solve for the n variables.
Example
To encode 6 numbers - x,y,z,u,v,w- we need 6 linearly independent equations
- c1,b1,c2,b2,c3,b3.
Let
c1= 2x+3y+z+5u+v+w, b1=4x+y+6z+u+2v+w,
c2=x+7y+7z+u+v+2w, b2=2x+y+5z+4u+2v+2w,
c3=x+3y+3z+u+3v+2w, b3=2x+6y+z+u+4v+w.
For 0<x,y,z,u,v,w<10, the maximum value of these equations is 190.Let
F1 = ( 2x+3y+z+5u+v+w)*(200*(4x+y+6z+u+2v+w)+3)(where we chose q=200 and p=3)
F2 = (x+7y+7z+u+v+2w)*(201*(2x+y+5z+4u+2v+2w)+4)( q=101,p=4)
F3 = (x+3y+3z+u+3v+2w)*(202*(2x+6y+z+u+4v+w)+5) (q=202,p=5)
Public Equations: G1, G2, G3
G1 = F1 + F2 = 10*x+37*y+31*z+7019*x*z+2002*x^2+2007*y^2+7*v+802*v^2+
1004*w^2+19*u+5815*x*y+1804*u^2+5419*z*v+2406*x*w+2404*x*v+6224*z*w+
3406*u*v+3210*u*w+12833*z*u+4016*y*w+4415*y*v+7429*y*u+12242*y*z+5606*x*u
+1806*v*w+8235*z^2+11*w
G2 = F1 + F3 = 11*x+24*y+18*z+4614*x*z+2004*x^2+4236*y^2+18*v+2824*v^2+
604*w^2+20*u+5224*x*y+1202*u^2+4630*z*v+2210*x*w+3620*x*v+2410*z*w+3614*u*v
+1806*u*w+7008*z*u+3830*y*w+7460*y*v+3418*y*u+8042*y*z+5006*x*u+2822*v*w+
1806*z^2+13*w
G3 = F2 + F3 = 9*x+43*y+43*z+5233*x*z+806*x^2+5043*y^2+19*v+2826*v^2+
1208*w^2+9*u+5439*x*y+1006*u^2+6849*z*v+2216*x*w+2824*x*v+5834*z*w+2620*u*v
+2616*u*w+7441*z*u+6246*y*w+9075*y*v+7647*y*u+12684*y*z+1812*x*u+3428*v*w+
7641*z^2+18*w
These equations cannot be factored or reduced using grobner.
Private Key
F1 = (G1+G2-G3)/2 , F2 = (G1-G2+G3)/2 , F3 = (-G1+G2+G3)/2
p*c1 = 3*(2x+3y+z+5u+v+w)=F1 mod q1 = ((G1+G2-G3)/2) mod200,
b1 = (4x+y+6z+u+2v+w) = ((F1/c1) - p1)/q1
p*c2 = 4*(x+7y+7z+u+v+2w) = F2 mod q2 = ((G1-G2+G3)/2) mod201,
b2 = (2x+y+5z+4u+2v+2w) = ((F2/c2) - p2)/q2
p*c3 = 5*(x+3y+3z+u+3v+2w) = F3 mod q3 = ((-G1+G2+G3)/2)mod202,
b3 = (2x+6y+z+u+4v+w) = ((F3/c3) - p3)/q3
Numerical Example
x = 1,y = 3,z = 1,u = 2,v = 7,w = 9
G1 = 851938
G2 = 943664
G3 = 1217774
F1 = (G1+G2-G3)/2 = 288914
F2 = (G1-G2+G3)/2 = 563024
F3 = (-G1+G2+G3)/2 = 654750
3*c1 mod q1 = F1 mod q1 = 288914 mod 200 = 114 or
c1 = 2x+3y+z+5u+v+w = 38
b1 = 4x+y+6z+u+2v+w = ((F1/c1) - p1)/q1 = ((288914/38)-3)/200 = 38
4*c2 mod q2 = F2 mod q2 = 563024 mod 201 = 23
c2 = x+7y+7z+u+v+2w = (23+201)/4 (since 23 is not divisible by 4) = 56
b2 = 2x+y+5z+4u+2v+2w = 50
5*c3 mod q3 = F3 mod q3 = 654750 mod 202 = 68
c3 = x+3y+3z+u+3v+2w = (68+202)/5 = 54
b3 = 2x+6y+z+u+4v+w = 60
We now have 6 equations and six unknowns.
The key to this algorithm is the difficulty in factoring the public
equations. A more complicated sequence of additions,subtractions, and
multiplications would be necessary to derive the n/2 public equations from
the original n/2 equations.For example,let G1 = F1*F2 + F1*F3, G2 =
F1*F2+F2*F3, G3 = F2*F3 + F1*F3 Then
F1 = square root((G1+G2-G3)*(G1-G2+G3)/(-G1+G2+G3))
F2 = square root((-G1+G2+G3)*(G1+G2-G3)/(G1-G2+G3))
F3 = square root((-G1+G2+G3)*(G1-G2+G3)/(G1+G2-G3))
However, this greatly increases the number of terms in the public
equations (e.g. G1 would now contain terms as opposed to the 27 terms in
the first example)
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Mon, 05 Apr 1999 23:47:53 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 05 Apr 1999 16:43:13 -0400, "Dorina M. Lanza"
<[EMAIL PROTECTED]> wrote:
>Ah, so. It's basically a religious issue?
There is no religion involved here.
Some would consider mathematics a form of religion, since the objects
of mathematics have no real-world existence. But that is another
matter.
>> Even an expert mathematician such as Triola will not go along with
>> such nonsense as Maybe Random. He states unequivocally that there are
>> NO parametric statistical tests for true randomness.
>Everyone here agrees with that.
But not everyone appreciates the consequences.
>The issue is really whether there are tests for order. And that is
>trivially true.
Everything is "trivial" to a dogmatist. Whose being religious now?
>> Yet Triola himself, the very author you said I had to read in order to
>> get to where you are in your thinking, states in plain English that
>> such parametric tests are useless to determine true randomness.
>Irrelevant.
Yes, parametric statistical tests are obviously irrelevant to the
determination of non-true-randomness.
>There are tests for non-randomness,
This I gotta see.
>and that's the kind of
>test people are encouraging you to use on the output of an RNG. Not
>tests for randomness; tests for non-randomness.
Can you provide a reference for those "tests for non-randomness"?
Better yet, can you provide the actual tests so we can critique them?
Name the best "test for non-randomness" that you can come up with.
But it must be a test that rejects true randomness, not one that
rejects pseudo-randomness. Pseudo-randomness is not a proven condition
for true randomness, not even a necessary condition. Of course, it you
believe otherwise, we would be interested in your rationale.
BTW, doesn't it bother you just a little that the people I have cited
have serious reservations that statistical tests even for
non-true-randomness do not exist.
Bob Knauer
"People have criticized me because my security detail is larger
than the president's. But you must ask yourself: Are there more
people who want to kill me than who want to kill the president?
I can assure you there are."
- Marion Barry, Mayor of Washington DC
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: A simple hash function.
Date: Mon, 05 Apr 1999 17:33:28 -0400
Reply-To: [EMAIL PROTECTED]
Nathan Kennedy wrote:
>
> Boris Kazak wrote:
> > *****************
> > Original message is divided into segments of the size
> > twice that of the final hash, e.g. if the final hash will
> > be 160 bit, the segments will be 320 bit each. The size of
> > the hash and segments is #defined by the HASHBLOCKSIZE
> > constant and can be altered according to need.
> >******************
> > For each block, there are three rounds (for those
> > paranoid among us, there is a #define, where one can
> > change the ROUNDS constant to whatever desired).
> >******************
> >
> > Initially the hash buffer contains either 0's or an
> > appropriate IV. No hashing is done on this value, the first
> > message block is just XOR-ed into the hash buffer.
> >
> > If the secret key will be used as the IV, the function
> > will produce a MAC.
> >
> > Any comments would be appreciated.
> *************************************
> HASHBLOCKSIZE is defined as 16. Can this be any number? Do you feel that
> 128 bits is sufficient for a modern hash? By birthday paradox, you'd
> expect a collision after ~2.2 x 10^19 hashes (i.e. > 2^64 and < 2^65).
> That seems a bit too small in my book. 24 bytes, or better, 32 should be
> secure enough for almost anything.
>
> Nate
=================
Yes, and this has been tested, it works. See the first lines of
this post, not only HASHBLOCKSIZE, but also ROUNDS can be set to
whatever necessary. HASHBLOCKSIZE should be better a multiple of 2,
I did not test it with odd numbers.
Best wishes BNK
------------------------------
From: "karl malbrain" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Mon, 5 Apr 1999 15:20:53 -0700
David Starr <[EMAIL PROTECTED]> wrote in message
news:vuYN2.384$[EMAIL PROTECTED]...
(... question: what do you think SCI groups are about??)
> Hmmm, let me see... (lots of head scratching).
> Where do you think you are posting? Hint: look carefully at the
> lines that start with "sci.". What do you think sci.crypt is about?
> I did not start this (cross-posted to four groups) discussion.
> I am simply asking that it be confined to the appropriate forum,
> and that is *not* sci.crypt (or sci.math, where you also waste
> my time).
The posting pattern was set by the original author, from I.B.M, announcing
his <<new-book the unknowable>>. I responded within 45 minutes where I saw
his misconceptions (the capitilized words) lay, based on existential threads
within sci.crypt. In any event, this is all documented on www.dejanews.com.
You'll also find additional explanation from me on the use of CAPITALIZED
words in comp.unix.unixware.misc.
(...snipped down to the present...)
> Keep sci.logic discussions confined to sci.logic.
> On second thought, don't those database folks care
> about valid schemas? Maybe you could cross-post to
> them, too.
No, ORGANIZATION is a subjective thing to a BOLSHEVIK. The current crew
running the DataBase world, jim_g, bruce_l, et al, are running it as a
THING-IN-ITSELF. I have no interest in posting to IBM/MICROSOFT, outside of
the tie to the original thread's author. Thanks, Karl M.
------------------------------
From: karl malbrain <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Mon, 05 Apr 1999 23:16:15 GMT
David Starr <[EMAIL PROTECTED]> wrote in message
news:vuYN2.384$[EMAIL PROTECTED]...
(... question: what do you think SCI groups are about??)
> Hmmm, let me see... (lots of head scratching).
> Where do you think you are posting? Hint: look carefully at the
> lines that start with "sci.". What do you think sci.crypt is about?
> I did not start this (cross-posted to four groups) discussion.
> I am simply asking that it be confined to the appropriate forum,
> and that is *not* sci.crypt (or sci.math, where you also waste
> my time).
The posting pattern was set by the original author, [EMAIL PROTECTED],
announcing his <<new-book the unknowable>>. I responded where I saw
his misconceptions (the capitilized words) lay, based on existential threads
within sci.crypt.
In any event, this is all documented on www.dejanews.com. You'll also find
additional explanation from me on the use of CAPITALIZED words in
comp.unix.unixware.misc.
(...snipped down to the present...)
> Keep sci.logic discussions confined to sci.logic.
> On second thought, don't those database folks care
> about valid schemas? Maybe you could cross-post to
> them, too.
No, ORGANIZATION is a subjective thing to a BOLSHEVIK. The current crew
running the DataBase world, jim_g, bruce_l, et al, are running it as a
THING-IN-ITSELF. I have no interest in posting to IBM/MICROSOFT, outside of
the tie to the original thread's author. Thanks, Karl M.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
