Cryptography-Digest Digest #563, Volume #9 Wed, 19 May 99 10:13:02 EDT
Contents:
Re: Encrypted Phones ("John Leiseboer")
Re: symmetric boolean functions ("Gary Forbis")
Re: where can i find a frequency list? (Stefan Katzenbeisser)
Re: symmetric boolean functions (Hankel O'Fung)
Re: symmetric boolean functions (Hankel O'Fung)
Re: Security ([EMAIL PROTECTED])
Re: Keyed bit permutation ([EMAIL PROTECTED])
Re: Need to design basic authentication system (Mark Carroll)
Re: where can i find a frequency list? (Mok-Kong Shen)
Re: Cryptonomicon Review (Mok-Kong Shen)
Re: symmetric boolean functions (Hankel O'Fung)
Re: Can Somebody Verify My DES execution? (Eric Young)
STOA report (Mok-Kong Shen)
Re: where can i find a frequency list? (Patrick Juola)
Re: prime numbers and the multplicative inverse (Bob Silverman)
----------------------------------------------------------------------------
From: "John Leiseboer" <[EMAIL PROTECTED]>
Subject: Re: Encrypted Phones
Date: Thu, 13 May 1999 22:49:48 +1000
SafeGuard International (a spin-off of QPSX Communications www.qpsx.com.au)
manufactures a product called SafeGuard Executive.
This unit provides voice, fax and data encryption all in one box. It uses
3-DES for encryption and Diffie-Hellman for the Key Exchange Algorithm. It
is extremely simple to use (I've used it in anger many times). You plug your
telephone, fax machine and/or serial device (e.g. PC) into the unit, and
connect to the PSTN. After that it's just like using a telephone or fax
connected to a PBX (0 for plain, 1 for secure), or a PC connected to a modem
(AT command set).
I believe that SafeGuard International is negotiating with a
distributor/manufacturer in the United States.
It's a good product - one that I can recommend.
John Leiseboer
William R. Bishop <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Greetings,
>
> The only encrypted phones I can find are being produced by the
> federal systems division of motorola (like we should trust them?).
>
> Does anyone know of any digitally encrypted (super secure) phones
> that can be plugged in and used over standard phone lines? PGP
> phone is the closest thing I can find, but I need boxes that are
> "plug and play" (don't require a MS O.S.).
>
> thanks in advance,
>
> Bill Bishop
>
> --
> Academy Award winning Digital Imaging Product Development consultant
> William R. Bishop - [EMAIL PROTECTED] - http://pcisys.net/~wrb/
> Anti-SPAM measure - remove NOSPAM from reply address
------------------------------
From: "Gary Forbis" <[EMAIL PROTECTED]>
Crossposted-To:
sci.chem,sci.econ,sci.image.processing,sci.electronics.design,sci.physics,sci.physics.fluid-dynamics,sci.math
Subject: Re: symmetric boolean functions
Date: Wed, 19 May 1999 00:02:36 -0700
Hankel O'Fung <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Thanks a lot, Ted and Russell. Yes, the parity function and the
> (multiple) AND and (multiple) OR operators are good examples. Are there
> any examples that looks more "strange" (or less classical)? For example,
> a symmetric or shift-invariant boolean function whose output is not
> boolean but may take more than two values (that's why I considered also
> f:{0,1}^n --> (0,1)^n).
I'm a bit confused by the notion of a boolean function whose output is not
boolean.
Isn't the definition of a boolean function one whose output may take only
one
of possible values?
Would you consider the max function to be shift-invariant?
(example, Max(1, 2, 3) = Max (3, 1, 2) = 3)
Checksum is shift-invariant with booleans arguments.
(Checksum(1, 1, 0, 1) = Checksum(1, 1, 1, 0) = 3)
------------------------------
From: Stefan Katzenbeisser <[EMAIL PROTECTED]>
Crossposted-To: [EMAIL PROTECTED]
Subject: Re: where can i find a frequency list?
Date: Wed, 19 May 1999 08:50:43 +0200
Pete wrote:
>
> dear all,
>
> i used to have a book that had marvellous frequency tables,
> digraphs,
> double letters, etc. the book was stolen from me a long, long
> time ago
> and i can't remember what the title was.
>
Try
ftp://ftp.ox.ac.uk/pub/crypto/cryptanalysis/basic_cryptanalysis.ps.tar.gz
As far as I can remember, there are numerous tables in it...
Regards,
S.K.
--
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Stefan Katzenbeisser
| e-mail: [EMAIL PROTECTED]
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
------------------------------
From: Hankel O'Fung <[EMAIL PROTECTED]>
Crossposted-To:
sci.chem,sci.econ,sci.image.processing,sci.electronics.design,sci.physics,sci.physics.fluid-dynamics,sci.math
Subject: Re: symmetric boolean functions
Date: Wed, 19 May 1999 14:14:05 -0700
Medical Electronics Lab wrote:
> The Trace() function maps {0,1}^n -> (0,1) over GF(2^n). If you
> use a normal basis, the output is shift-invariant. I don't understand
> what sigma does. If you use a polynomial basis, the Trace() is
> not shift invariant, but I can't say I understand "symmetric".
Thanks for your help, but please forgive my ignorance. What are the
definitions of Trace() and GF(2^n)? I am also interested in any textbooks
or journal papers that point to the application of the function you
mentioned. Any suggestions?
BTW, forget the sigma. By "symmetric" I just mean that f(x1, x2, ..., xn)
= f(y1, y2, ..., yn) for ANY rearrangement y1, ..., yn of the n boolean
variables x1, ..., xn. For n=3, this means f(x1,x2,x3) = f(x1,x3,x2) =
f(x2,x1,x3) = f(x2,x3,x1) = f(x3,x1,x2) = f(x3,x2,x1).
Thanks.
Hankel
------------------------------
From: Hankel O'Fung <[EMAIL PROTECTED]>
Crossposted-To:
sci.chem,sci.econ,sci.image.processing,sci.electronics.design,sci.physics,sci.physics.fluid-dynamics,sci.math
Subject: Re: symmetric boolean functions
Date: Wed, 19 May 1999 14:25:16 -0700
Thanks a lot, Ted and Russell. Yes, the parity function and the
(multiple) AND and (multiple) OR operators are good examples. Are there
any examples that looks more "strange" (or less classical)? For example,
a symmetric or shift-invariant boolean function whose output is not
boolean but may take more than two values (that's why I considered also
f:{0,1}^n --> (0,1)^n).
Regards, Hankel
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Security
Date: Wed, 19 May 1999 10:59:47 GMT
> I think you are correct in that any algorithm will (potentially) leak
some
> information, as it is not a OTP, but in the case of a well designed
> algorithm it might only allow the shaving of a bit off the key( or
> potentially less) in an idealized attack protocol. Cryptanalisys is
the
> art of pulling every bit (or fraction thereof) of information
leakage out
> of a cypher. Yes for any algorithm there will be a faster than brute
force
> attack, but in the case of most well designed algoritims your ability
to
> break a 128bit cypher in (2^126.999998) trials with a space usage of
the
> same is a useless break.
Ah, but a break none the less. What I am saying is that since
encryption is a deterministic process there will always exist a counter
deterministic process. Since the key is actually used it's presence is
measurable (often not enough tough), etc... etc...
A cipher is only provably secure if all outputs are possible (random
distribution based on the key) given any input. How do you create this
random distribution in one round? If there are any one round
characteristics (or linear approximations) chances are the algorithm
can be cracked in reduced-round variants (and possible full-round).
Here's a question, are there any one round symmetrical key ciphers?
Just wondering. I know about the DLP style algorithms, but are there
any others?
Tom
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Keyed bit permutation
Date: Wed, 19 May 1999 11:04:56 GMT
> Actually, you can do it with 3 XORs and an AND. That's the way I
> implemented it in the ICE source (http://www.darkside.com.au/ice).
Or with 5 256kb tables... :)
It would be a
unsigned long p_table[5][256][256]
Where the first index is the 5 bytes, then the second index is the
actual byte, and the last is where the subkey plugs in. You or the
five together and get a free permutation.
I think... This is off the top of my head (but would possibly make ICE
way faster). You could probably do the same for the final permutation
unsigned long fp_table[4][256]
So in total this would require (4 * 256)(4) + (256 * 256 * 5)(4) or
1,314,816 bytes (1284 KB). Not a prob on desktop computers :)
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
From: [EMAIL PROTECTED] (Mark Carroll)
Subject: Re: Need to design basic authentication system
Date: 19 May 1999 11:36:26 +0100 (BST)
In article <Y0l03.35263$[EMAIL PROTECTED]>,
Tim Mavers <[EMAIL PROTECTED]> wrote:
>Mark Carroll wrote in message ...
(snip)
>Actually, I am still concerned with intranet security as software sniffers
>are pretty common (and easy to use) nowdays. I am a bit uncomfortable with
>the initial password sent in an insecure way initially. If I was sniffing,
Yes, you should be. (-:
>I would just analyze the data for a few days and then I need not be worried
>about the hashing done as I would just watch for a "new user" signing on.
(snip)
>There really is no shared secret between the server and client initially.
Ah, that's a pity. Hard to avoid man-in-the-middle attacks then (this
is why ssh keeps a local database of host keys). Let's assume the
attacker is passive, and is just packet sniffing or something...
>As I mentioned earlier, the server could exist in a different country and it
>might be a bit harder to exchange new user passwords. Then again, maybe
>having the user create a new acct shouldn't be allowed and the admin should
>do it and transmit the password in a secure means (or whatever way they
>want).
(-: Yes, the latter is usually what happens!
However, it is possible for two hosts to negotiate a session key
without a passive eavesdropper learning what it is. For instance, if
the client has a local public/private key pair, it could send the
server the public key, the server could think of a session key and
encrypt it with the public key, and then send it to the client who can
use their private key to decrypt it. But, you can certainly improve on
this. I'm just using it as a really simple example to show that it's
possible. (-: ISTR something really neat where half the key goes at a
time, but I forget what; there'll be plenty of people who have good
suggestions though. How does ssh do it, for instance? (-:
-- Mark (who has no crypto books handy right away...)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: where can i find a frequency list?
Date: Wed, 19 May 1999 11:11:07 +0200
Pete wrote:
>
> can someone point me to frequency tables on the net? if none exist (that
> are known) can you point me to a book with a decent one?
Many crypto books have such tables as others have pointed out. I
suppose that what is wanting and can be interesting are frequency
distributions of single characters after subtracting out from the
text meterials those occuring in a set of high frequency digrams and
trigrams. Does anyone happen to know such frequency counts?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cryptonomicon Review
Date: Wed, 19 May 1999 11:00:30 +0200
Alan J. Robinson wrote:
>
> John von Neumann may have possibly been the smartest man who ever lived,
> but he also came up with some clinkers like this one. Even the
> unfortunate founding of the Nobel Prize in Economics reflects his
> influence. In fact, economic situations are only partially
> mathematically predictable, like many other types of systems, not the
> least because of the phenomenon of chaos.
If there is a choice of fonts, I would in your place write 'partially'
in a tiny font. Not long ago a large hedge fonds got into severe
trouble such that a number of huge banks 'must' help and there were a
couple of the Economics Nobel Prize winners in that company, if my
information is correct. Economic fluctuations are 'chaotic', but trying
to capture that with the mathematical chaos theory as Mandelbrot does
(in particular what concerns the stock market, see e.g. a recent
article in Scientific American) wouldn't go very far, I suppose. Not
everything that applies well to physics is good for non-physical
disciplines. The stock market is largely driven by the psychology of
the (human) mass and also sensitive to, among others, such barely
predictable (in time) events as outbreaks of wars. Thus the
determining factors of economics are, at least in a large part,
essentially 'irrational'. Attempting to model irrationality with
mathematics which is rational is doomed to failure, I believe.
M. K. Shen
------------------------------
From: Hankel O'Fung <[EMAIL PROTECTED]>
Crossposted-To:
sci.chem,sci.econ,sci.image.processing,sci.electronics.design,sci.physics,sci.physics.fluid-dynamics,sci.math
Subject: Re: symmetric boolean functions
Date: Wed, 19 May 1999 17:12:23 -0700
Gary Forbis wrote:
> I'm a bit confused by the notion of a boolean function whose output is not
> boolean.
> Isn't the definition of a boolean function one whose output may take only
> one
> of possible values?
I was wrong. Boolean functions (or switching functions) are those that take
boolean (vector) inputs and generate boolean (vector) outputs. If the range is
(0,1), the function shouldn't be called boolean. Yet, I still need to know any
possible applications of symmetric or shift-invariant functions taking boolean
vector inputs and generate outputs in {0,1} or (0,1), especially when the
functions are not the "classical" ones.
> Would you consider the max function to be shift-invariant?
> (example, Max(1, 2, 3) = Max (3, 1, 2) = 3)
>
> Checksum is shift-invariant with booleans arguments.
> (Checksum(1, 1, 0, 1) = Checksum(1, 1, 1, 0) = 3)
Yes, they are, but they are much more than shift-invariant --- they are
symmetric, indeed. And the domain of Max() isn't {0,1}^n (or when it is, Max
is simply the multiple AND). But thanks. Yes, the checksum is a good example
(after some scaling --- I need the range of the function to be in (0,1)).
BTW, a gentleman contacted me in private, and suggested me to look for the
applications of a wider class of functions than the symmetric and
shift-invariant ones. He was right. In fact, I am happy to know any
applications of functions f: {0,1}^n --> (0,1) or g: {0,1} --> {0,1}, but I
have a more urgent need to know those for the symm. or shift-invar. cases.
What we have now: parity function (hence XOR when n=2), AND, OR, max, min,
checksum).
Cheers, Hankel
------------------------------
From: Eric Young <[EMAIL PROTECTED]>
Subject: Re: Can Somebody Verify My DES execution?
Date: Wed, 19 May 1999 19:36:10 +1000
Richard Outerbridge wrote:
> In article <7hrk7q$8do$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Thomas Pornin) wrote:
> a) verify that the weak-key property holds (encrypt twice using the same
> weak key equals pt for all four weak-keys);
I would also mention that good test vectors can pick up problems in
compilers. If I remember correctly, some of my cipher code has broken
under older versions of AIX with the optimiser cranked up.
I've also found that SCO and QNX 'bc' implementations are broken while
using it to verify the output from a bignum library.
> If anyone would like arbitrary test-vector triples from an implementation
> I'm pretty sure of, feel free to ask.
There are numerous DES implementations to test against. When I
originally
implemented IDEA I had the input 'shorts' in the wrong byte order. The
spec
and test vectors did not specify the byte order when converting from
byte to short. The 'convention' was bigendian. (there was subsequently
released
a page specifying byte order). All test vectors passed, but I could not
inter operate.
When testing keyschedule setup, different DES implementations use
big-endian
or little-endian internally, so for the highly optimised versions of
DES,
it is often rather hard to look at the progressive internal results to
compare
your own version.
Algorithms like MD5 are little endian and SHA1/IDEA/blowfish are
bigendian.
This is often not made very clear in the specification, especially when
test
vectors are not specified in bytes.
eric (rambling on a bit...)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: STOA report
Date: Wed, 19 May 1999 11:38:53 +0200
For those who may be interested in STOA report, I am attaching
below a post of John Young that I received in another group. You
may also look at:
http://www.iptvreports.mcmail.com/interception_capabilities_2000.htm
M. K. Shen
========================================
The author of the STOA report on Echelon, Duncan Campbell,
offers the report:
http://www.iptvreports.mcmail.com/stoa_cover.htm
We offer a zipped version Duncan provided:
http://jya.com/ic2000.zip (961K)
There are two others in the series which are now completed
of comparable interest, both of which should be available
soon if we can get STOA's agreement to allow publication
prior to their being offered at the STOA site:
(1)The legality of the interception of electronic communications:
A concise survey of the principal legal issues and instruments
under international, European and national law, by Chris ELLIOTT,
Surrey, UK
Final Study, Working document for the STOA Panel, Workplan 1998 -
98/14/01, EN, April 1999, PE 168.184/part 2/4
(2)Encryption and cryptosystems in electronic surveillance:
A survey of the technology assessment issues, by Franck
LEPRÉVOST, Technische Universität Berlin, Germany
Final Study, Working document for the STOA Panel, Workplan 1998 -
98/14/01, EN, April 1999, PE 168.184/part 3/4
The fourth in the series has not been publicized on the
STOA site.
The person at STOA in charge if anyone wants to encourage
early release:
Frans SCHAERLAEKEN
Parlement Européen
STOA SCH 4/62
L-2929 Luxembourg
E-mail: [EMAIL PROTECTED]
The reason I'm told STOA has not formally released the
documents is that there is considerable dispute within
the European Parliament about informing the public
on the true state of surreptitious electronic surveillance
and other technologies of political control.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: where can i find a frequency list?
Date: 19 May 1999 09:48:25 -0400
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>Pete wrote:
>>
>> can someone point me to frequency tables on the net? if none exist (that
>> are known) can you point me to a book with a decent one?
>
>Many crypto books have such tables as others have pointed out. I
>suppose that what is wanting and can be interesting are frequency
>distributions of single characters after subtracting out from the
>text meterials those occuring in a set of high frequency digrams and
>trigrams. Does anyone happen to know such frequency counts?
Easy enough to roll your own.
And, I suspect, not the stuff that you would find published tables
for (or find them to be any use if someone *were* fool enough to
publish such a table).
In general (and vastly oversimplified), most of the "high frequency"
stuff in linguistic distributions is general, language-specific but
not document-specific information. For example, the most common words
in almost any English document of interest are words like 'the' and 'of';
high-frequency, low-meaning "function words."
When you subtract out the high frequency digraphs, you'll be left with
the underlying distribution of the low(er) frequency words in the
document of interest, which tend to be very strongly associated with
the content and register of the document. So the words that are moderately
common in (e.g.) a Ph.D. dissertation will have little to do with the
words that are moderately common in an issue of _Sports Illustrated_;
furthermore, the January _Sports Illustrated_ may well have little to
do with the July _SI_ as the content will have changed so radically.
This *might* be an interesting way to do document classification -- but
the cryptographic applications are limited.
-kitten
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: prime numbers and the multplicative inverse
Date: Wed, 19 May 1999 13:54:15 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> [EMAIL PROTECTED] wrote, in part:
>
> >I haven't been able to find an answer to this question. Why does IDEA
> >use a prime field for it's multiplication?
>
> >Does the field need to be prime to have a multiplicative inverse?
>
> Yes. If it is not prime, then numbers not relatively prime to the
> modulus have no inverse; if it is prime, every nonzero number has an
> inverse.
NO! The field does NOT need to be a prime field. GF(2^101) for
example, is not a prime field. Yet it is indeed a field, so every
non-zero element has an inverse.
Perhaps, the original poster meant to enquire about the difference
between a field and a ring, rather than about prime vs. non-prime
FIELDS? He phrased the question with respect to fields, but perhaps
he meant more general modular arithmetic with respect to a prime vs.
non-prime modulus?
>
> This is explained on the section of my web page about IDEA.
I hope not, because your answer (to the question as asked) is WRONG.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
