Cryptography-Digest Digest #480, Volume #9 Thu, 29 Apr 99 02:13:03 EDT
Contents:
Re: break this code (Jerry Coffin)
Re: Weakness Found in Alternative Signature Format ("Sal")
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (SCOTT19U.ZIP_GUY)
Re: Is this cypher weak? ([EMAIL PROTECTED])
observation on superencryption (greg hampton)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
([EMAIL PROTECTED])
Re: Is this cypher weak? (Scott Fluhrer)
Re: Weakness Found in Alternative Signature Format (Jim Gillogly)
Re: Algorithms where encryption=decryption? (wtshaw)
Re: OAEP, CBC, patents, and improving PGP
Sunfish, a Blowfish variant ([EMAIL PROTECTED])
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Jerry Coffin)
Re: Extreme lossy text compression (Jerry Coffin)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
Re: True Randomness & The Law Of Large Numbers (Mok-Kong Shen)
Solitaire Encryption Algorithm ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: break this code
Date: Wed, 28 Apr 1999 17:59:28 -0600
In article <wMqV2.13481$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> What does the term "XOR" mean? I believe this refers to a type of comparison
> but I am not sure.
It's short for eXclusive OR. A basic XOR takes two bits of input and
produces one bit of output. The output will be true if one or the
other bit of input is true, but not both. Another way of expressing
that is that the output is true if the inputs are different, and false
if the inputs are the same. When you apply an XOR to (say) a 32-bit
word, you start with two 32-bit words, and each bit in the output is
the XOR of the corresponding bits in the two input words.
------------------------------
From: "Sal" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.misc,comp.security.pgp.discuss
Subject: Re: Weakness Found in Alternative Signature Format
Date: Wed, 28 Apr 1999 20:30:43 -0400
If all the personal computers in the world 260 million were put
to work on a single PGP-encrypted message, it would still take
an estimated 12 million times the age of the universe, on average,
to break a single message.
--William Crowell, Deputy Director, National Security Agency, March 20,
1997.
========================
Should we believe it?
------------------------------
From: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Wed, 28 Apr 1999 23:54:09 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
...
>
> I also don't understand your last sentences. The random bits are
> discarded by the receiver. They involve some transmission expense,
> but that's all.
>
Bullshit the receiver has to know where the random bits are
to discard them. Write code if you CAN Mr. Shen and then we
can discuss it. Until then it is obvious this is way over your
head.
Again I say. WRITE THE CODE AND SHOW EXAMPLES LIKE I DID.
David A. Scott
--
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
to email me use address on WEB PAGE
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is this cypher weak?
Date: Wed, 28 Apr 1999 23:58:48 GMT
<snip>
May I suggest other ciphers to use:
Blowfish, Twofish, RC4, IDEA or CAST
They are all really well known. If you need a stream cipher try RC4. I can
get the papers for those if you want, although I would recomend a introductory
book in cryptography. Try reading the sci.crypt faq too.
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: greg hampton <[EMAIL PROTECTED]>
Subject: observation on superencryption
Date: Wed, 28 Apr 1999 20:49:28 -0700
In a multi-round cipher like des, blowfish and others, consider one
round as a standalone 'baby' cipher algorithm. Then the full algorithms
(above) effectively become a super-encryption of the data (like
encrypting a file 16 times with a weak algorithm)(minus any final
transform, of course). Since one round of these algorithms can be
cracked, and 16 cannot, does this mean a weak algorithm can be made
strong by super-encrypting(assuming no groups)?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Wed, 28 Apr 1999 21:04:37 GMT
dianelos wrote:
> Bryan G. Olson wrote:
> > There is a situation worse than having all one's eggs in one basket.
> > The problem with one basket is that there exists a potential failure
> > that would be catastrophic. What's worse is a system in which any
> > one of many possible failures would be catastrophic. If one accepts
> > that in realistic applications of cryptography the same intelligence
> > is available from many messages, then choosing from a thousand
> > ciphers for each message moves us from one potential catastrophic
> > failure to many potential catastrophic failures.
>
> I think you assume that the attacker will know which cipher has
> been used. In fact, a good variable cipher protocol would hide the
> information about which cipher or cipher combination has been
> used.
I'm assuming the technique Ritter described, but I don't think
whether the protocol tries to hide the choice of cipher makes
much difference. The attacker doesn't need the general ability
to determine what cipher is in use; he only needs to be able to
distinguish when the cipher in use is one he can break. If he
can break a cipher he can surely distinguish it.
> Let us design two possible future worlds and then pick the one
> that is more secure:
I think there are cases to be made for and against using a
variety of primatives in the design of a cipher. I agree
the case for conservative design is overwhelming. I just
jumped in to argue the foolishness of the specific proposal
of encrypting each message with a random choice from a pool
of 1000 ciphers.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: Is this cypher weak?
Date: Thu, 29 Apr 1999 01:33:21 GMT
In article <OFNThjck#GA.51@cpmsnbbsa03>,
"Stephane BARTHES" <[EMAIL PROTECTED]> wrote:
>Hi all,
>
>I am new to cryptography and thinking of an encryption scheme to store
>software licenses. I do not want to buy some high end stuff, since I can
>probably code one myself.
>
>However, I would like to make sure that the first hacker will not sneak in
>my license files and make them tell whatever he wants.
[Snip]
Actually, what you should start at making a threat model. What are you
trying to protect against? What does the attacker have available to him?
For example, you said this is to store software licenses. Does this mean
that you are going to sell people copies of the program, and you want to
prevent them from making illegal copies? If so, how are you going to
distinguish a computer that is allowed to run the software from one that
doesn't?
And, if you do have a way (computer serial number or some such), how do you
make a license for a particular serial number? And, what is preventing the
attacker from doing the very same thing? Remember, he has access to the
code that verifies the serial number.
And, for that matter, what is to prevent the attacker from just snipping out
the code that does the check on the software license? People have become
very good at doing this.
Now, I'm not saying that cryptography in general, or your proposed method in
particular cannot solve your problem -- I am saying that you need to sit down
and think things through before you start throwing something together
--
poncho
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.misc,comp.security.pgp.discuss
Subject: Re: Weakness Found in Alternative Signature Format
Date: Wed, 28 Apr 1999 18:56:18 -0700
Sal wrote:
> If all the personal computers in the world 260 million were put
> to work on a single PGP-encrypted message, it would still take
> an estimated 12 million times the age of the universe, on average,
> to break a single message.
> --William Crowell, Deputy Director, National Security Agency, March 20,
> 1997.
> ------------------------
>
> Should we believe it?
Close enough. Assuming the universe is 13 billion years old, I
make it about 3 million times the age of the universe on average,
figuring 500,000 keys/sec (from today's distributed.net RC5 project
cores). A factor of four difference corresponds well enough to the
Moore's Law increase between then and now.
However, note that he specifies "personal computers". If we used
260 million special-purpose computers of Deep Crack's caliber, it
would take a mere 300 times the age of the universe. On average.
If I have my decimal points in the right place.
As Doug Gwyn points out regularly, though, the big boys don't regard
brute force as an efficient way to cryptanalyze a system. We have
no information on whether Crowell et al. can do better than brute
force on PGP's algorithms. Who knows, maybe they even know how to
factor, and don't <need> to worry about the symmetric algorithms.
--
Jim Gillogly
8 Thrimidge S.R. 1999, 01:40
12.19.6.2.13, 9 Ben 1 Uo, Eighth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Algorithms where encryption=decryption?
Date: Wed, 28 Apr 1999 16:04:51 -0600
In article <[EMAIL PROTECTED]>, Anne Veling
<[EMAIL PROTECTED]> wrote:
> Hi everyone,
>
> I am looking for any algorithms that can be used in encryption in which
> the encryption algorithm is the same as the decryption algorithm.
>
> For instance:
>
> the well-known ROT-13 (a unary encryption algorithm (uses only one
> parameter))
>
> Or f(x)=-x
> Or f(x)=1/x (not so useful for encryption)
>
> Or binary:
>
> f(x,y)=x XOR y
>
> Do you know of any other?
>
> Thanks, bye,
>
> Anne.
> --
On the Classical side, don't forget Porta's Table.
Lots of algorithms can go from encrypt to decrypt with a simple change.
However, I take it that you are after ones that require no changes at all.
--
If you think you are beaten, you are.
If you thing you dare not, you don't.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: OAEP, CBC, patents, and improving PGP
Date: 29 Apr 99 03:13:43 GMT
John Savard ([EMAIL PROTECTED]) wrote:
: A while back - on September 11, 1996 for the first time,
Upon reflection, although the idea of including part of the message
instead of random padding in the RSA block had occurred to me long before,
the further step of using a hash of the rest of the message to XOR with
the first part of the message -
which I envisaged as a way to avoid trusting an encryption program to
generate random numbers (in which a modified program could leak key
information), not as a way to save slight additional bandwidth -
which resembles a technique invented by Mihir Bellare, did not occur to me
until shortly before I made that post. Perhaps it might have occurred to
me sooner if I had been on the Internet before, but in any case, now that
I found out the dates involved through searching on DejaNews, which I
didn't know at first, I don't dispute his priority.
I am noting this now after receiving an E-Mail reminding me that the
patent law could work for me as it did for Philo T. Farnsworth vis-a-vis
Vladimir Zworykin. Although earlier, I didn't know exactly when this
occurred to me, I hadn't envisaged challenging the patent, but now I am
sure that he was first - I am only unsure if I had re-invented the same
thing or not.
The reason that I have been posting on this topic is instead to advise
others of the existence of this patent, and to find out if my conclusion:
that the technique involving CBC-MAC in one patent is essentially the same
technique, while OAEP, described in a paper, only superficially resembles
it, but is fundamentally unrelated, is correct. (The purpose of OAEP is to
provide better theoretical security against attack, and it's essentially
inside-out compared to the technique I was thinking of.)
Incidentally, since an RSA modulus can't be a power of 256, there is a
tiny bit of left-over space. Instead of filling it with a small amount of
random data, one could XOR the last 152 or 144 bits of the 160-bit hash
with the first part of the message, and use the rest of the hash to select
the small random padding, thus providing no opportunity for a PGP-like
program to leak key information.
John Savard
------------------------------
From: [EMAIL PROTECTED]
Subject: Sunfish, a Blowfish variant
Date: Wed, 28 Apr 1999 23:38:11 GMT
I have proposed a variant of Blowfish which has 128 bit blocks. I used two
different functions and bit rotations to avoid symmetries and quadratics to
help diffusion.
Please have a read (the paper is really short). I plan to add more as I study
it. I just started today. It's in text format at
http://members.tripod.com/~tomstdenis/sunfish.txt
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Wed, 28 Apr 1999 22:48:10 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> >5. One of the facts of ciphering life is that we cannot prove the
> >strength of any cipher. Even NIST review and group-cryptanalysis does
> >not give us proven strength in a cipher, so any cipher we select might
> >be already broken, and we would not know. We cannot change this, but
> >we can greatly improve our odds as a user, by multi-ciphering under
> >different ciphers. Doing this means an Opponent must break *all* of
> >those ciphers -- not just one -- to expose our data. I like the idea
> >of having three layers of different cipher, each with its own key.
>
> Note those last 5 words.
Yes -- unfortunately, this presentation did NOT include those words --
quite the contrary, it specifically said that all the forms of
encryption involved would use the same key. It commented that this
was less than ideal, but I think it's MUCH worse than that. It
basically breaks the entire idea completely.
At that point, the real question is whether you're making anywhere
close to ideal use of a amount of secret information being used.
Right now, a lot of security is broken based on things like people
keeping passwords written down on slips of paper near their computer
or terminal -- if you triple the amount of information they have to
memorize, you might make the encryption better, but the overall
security far worse because even more people would either write things
down, or use easy to remember (and easy to guess) passwords and such.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Extreme lossy text compression
Date: Wed, 28 Apr 1999 22:48:08 -0600
In article <[EMAIL PROTECTED]>, mok-
[EMAIL PROTECTED] says...
[ a table-driven CRC ]
> Could you say what speed you can achieve with that on a typical
> processor (in assembler and in C or other languages)? Thanks
> in advance.
I just did a quick check with a version I have lying around and it did
around 5 megabytes a second a Pentium II/400. In all honesty, I
suspect that a faster disk would improve that more than a faster CPU
though.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Thu, 29 Apr 1999 00:11:07 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Leonard R. Budney) wrote:
>
> But you can't. As Bryan observed, if the stream cipher is "OTP
> quality", then it provides absolutely perfect security. Why do better
> than 100% perfect?
>
If only the world were so perfect that keys magically transmitted
themselves. My rought protocolsolution that I would dub PACK,
polyalgorithmic complementary keys, facilitates the actual transmission of
what is necessary to reconstruct the actual needed key.
Whether you would opt for something simple like PACK-3 to PACK-100, or
more, would be a personal preference, and a measure of your faith in
ciphers in general.
--
If you think you are beaten, you are.
If you thing you dare not, you don't.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 23 Apr 1999 11:58:29 +0200
R. Knauer wrote:
>
> On Thu, 22 Apr 1999 16:02:32 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >> You need to read his book.
>
> >This isn't a nice cooperative attitude in scientific discussions.
> >You have apprently put much effort in studying that work. I was
> >only requesting some small clarification in order to be able to
> >discuss with you. Or were you yourself not clear about the question
> >I raised?? In that case, of course, we should delete that point from
> >our discussion.
>
> I said you need to read the book, because that is the only way to get
> the answer to your question.
That clearly means that you also don't know the answer. Hence
we have to drop that out of our current discussion!
>
> >Let me say once more about what I believe to be the most troublesome
> >for your discussion partners. You claim something and period, without
> >supporting arguments/clarifications.
>
> Huh?! What are you talking about?
In plaintext: You claimed repeatedly that statistical tests can't
be applied to investigate sequences from true random processes.
The 'period' is the '.' of such type of sentences. You never
explained WHY they are not applicable. You have to show with concrete
examples that they are wrong, error-prone, or have whatever defects
you have discovered, so that scientists could attempt to do
remedies. You could also do that with purely theoretical means,
but you have to present the mathematics to prove your claim. Simply
claiming something is faulty without any scientifically founded,
clearly stated, understandable arguments is non-sense!!!
>
> I have offered far more in support of my position than anyone else
> here has offered in support of the contrary position. I have offered,
> among other things, direct quotes from respected books on the subject.
When I asked the following:
Where is Kolmogorov's recipe to deal with these 'real practical
problems'? Could you tell that?
there was silence!!
>
> >> I gave a sketch of how one might go about certifying a radioactive
> >> TRNG several months ago. You can look it up in the archives.
I said repeatedly that that relied on experts' judgement alone. Without
exploying (besides that) also good measurements (which involve
statistical test theories whose applicability you deny) such
judgements are simply unreliable and useless.
>
> >Yes, that was employing experts to judge the engineering designs.
> >That (alone) is totally unreliable!!!
>
> I suggested far more than that. Just look in the archives.
I argued that time with you. My memory on that is still fresh.
Hence I don't want to look into the archives. If you can bring
really genuine counter-arguments to the above, then please quote
one SINGLE short paragraph (of you OWN writing) clearing demonstrating
that what I say here is wrong (and that indeed you have given FAR
more -- of meaningful arguments). Am I asking too much from you???
>
> >As I said many times before, these dianostic tests involve measurements.
> >Measurements have errors. One needs error analysis. To do error
> >analysis one needs statistical test theories. Are the test theories
> >needed to do the dianostic tests 'non-simplistic' in you opinion??
>
> You are not paying attention. I said repeatedly that I am not
> indicting statistical measurement in general, only with regard to a
> direct determination of non-randomness from an output sequence, and
> then only when simplistic small sample statistical tests like the
> FIPS-140 Monobit Test are used.
>
> I give up with you. You are either deliberately trolling me or you are
> incredibly dense.
In the previous post I have taken much time to write long paragraphs
to stress that IF you consider the currently available statistical
tests are 'simplistic', no good, error-prone, or having whatever other
defects/disadvantages you discern, THEN please be kind and good enough
(not only to me but also to the group and to the large scientific
community) to formulate your arguments in a way that researchers in
statistics could well and unambigiously understand (i.e. in the normal
style for publication in journals) with whatever numerical results you
may have and publish these (in this and other related groups, on your
web page, etc.) and send these valuable arguments to the appropriate
persons (e.g. the FIPS guys) or submit that as a normal paper for
a journal of statistics/mathematics/cryptology (or only as a letter
to the editor which will normally be quickly published) so that there
can be a chance of your precious views, if correct, resulting
in real scientific advancement. I also suggested that since you
have discovered (if you are right) defects that have escaped the
attention of other scientists, you very probably have a good chance
of developing the wished-for 'non-simplistic' statistical
tests yourself (for you are ahead of the other scientists in this
issue). Simply claiming that the monobit test is simplistic without
supporting material (theory, numerical results, etc.) is analogous
to simply claiming that there is intelligent life elsewhere in the
universe without supporting material. Indeed science fiction authors
do that. But we are in 'sci.crypt' not in 'sci.fic.crypt'!!!!!
M. K. Shen
http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
------------------------------
From: [EMAIL PROTECTED]
Subject: Solitaire Encryption Algorithm
Date: Thu, 29 Apr 1999 05:51:06 GMT
I (also) tried to do sample 1 of the Solitaire algorithm, as described at
http://www.counterpane.com/solitaire.html, and I (too) can't seem to get it
right. Can anybody please assist me in telling what I do wrong?
Notation roughly follows that of the article: the initial
deck is: {B, A, 52 .. 1}, where B (joker) is the top of the stack, 1
(Ace of clubs) is the bottom. I use 'x .. y' to mean x down to (and
including) y.
Start: { B, A, 52, 51 .. 1}
step 1: { B, 52, A, 51 .. 1}
step 2: { 52, A, B, 51 .. 1}
step 3: { 51 .. 1, A, B, 52}
step 4: { B, 51 .. 1, A, 52} so we have (53), not 4.
step 1: { B, 51 .. 1, 52, A}
step 2: { 51, 50, B, 49 .. 1, 52, A }
step 3: { B, 49 .. 1, 52, A, 51, 50 }
step 4: { 52, A, 51, B, 49 .. 5, 4, 3, 2, 1, 50 }, so we have 2.
step 1: { 52, 51, A, B, 49 .. 1, 50 }
step 2: { 52, 51, A, 49, 48, B, 47 .. 1, 50 }
step 3: { 47 .. 1, 50, A, 49, 48, B, 52, 51 }
step 4: { B, 52, 47 .. 1, 50, A, 49, 48, 51 }, so we have 48.
step 1: { B, 52, 47 .. 1, 50, 49, A, 48, 51 }
step 2: { 52, 47, B, 46 .. 1, 50, 49, A, 48, 51 }
step 3: { 48, 51, B, 46 .. 3, 2, 1, 50, 49, A, 52, 47 }
step 4: { 2, 1, 50, 49, A, 52, 48, 51, B, 46 .. 11, 10, 9, 8, 7, 6, 5,
4, 3, 47 }, so we have 9.
etc.
I'm looking forward to any reaction.
Rieks Joosten
[EMAIL PROTECTED]
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
