Cryptography-Digest Digest #171, Volume #10 Fri, 3 Sep 99 22:13:03 EDT
Contents:
Re: Schneier/Publsied Algorithms (Eric Lee Green)
Re: 512 bit number factored (Wei Dai)
Re: SQ Announcement (SCOTT19U.ZIP_GUY)
Re: Schneier/Publsied Algorithms (SCOTT19U.ZIP_GUY)
Re: 512 bit number factored ([EMAIL PROTECTED])
Re: Schneier/Publsied Algorithms (David A Molnar)
Re: Re: 512 bit number factored (Wei Dai)
More information on TEA available? ("Greg Keogh")
Re: Alleged NSA backdoor in Windows CryptoAPI ([EMAIL PROTECTED])
Re: Schneier/published algorithms (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: Fri, 03 Sep 1999 23:17:02 GMT
"SCOTT19U.ZIP_GUY" wrote:
> >top five finalists. Sounds like it's pretty solid to me, though some of the
> >other AES candidates also have good points that make them worth looking at.
> >
> Yeah I've been wondering just what those "good points" are. Will the NSA
> ever tell us.?
Probably not, but Brian Gladman ( http://www.seven77.demon.co.uk/index.htm ) is
not shy about what he sees as strengths and weaknesses. I'm sure I can find
others with their own opinions if I looked.
The biggest unknown is RC6. It is simple and fast -- but is it secure? Given
RSA's long flirtation with the NSA, that's the billion-dollar question. It's
hard to believe that something so simple could be secure, but on the other hand
the principle designers of RC6 do have a lot of experience in the field and
maybe they're just smarter than the rest of the AES contributors.
I *WILL* point out that design of block ciphers is not exactly brain surgery in
this day and age. This is a field which is, to a certain extent, mature, unlike
the field of public key encryption, which is still in its infancy.
-E
------------------------------
From: [EMAIL PROTECTED] (Wei Dai)
Subject: Re: 512 bit number factored
Date: Fri, 3 Sep 1999 17:24:48 -0700
In article <7qog0k$aj4$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> A 700 bit number is about 730 times as difficult as 512-bits
> in terns of *time* and 27 times as difficult in terms of space.
>
> Each of these 20K computers will need 2 to 3 Gbytes of memory
> (for the sieving phase)
>
> In 1990 my Sparc-10 on my desk had 32M of RAM. Now, my
> dual-proc P-450 has 256M. We *might* see workstations & desktops
> with 2-3Gbytes in 10 years, but I doubt that they will be common
> enough to gather 20,000 of them for a year. I don't see most
> applications needing that kind of memory. 512M??? Sure! But
> not 3G.
First, nine years from now, you won't need 20000 computers with 2-3 GB of
memory, you'll only need 500. Second, do you really need 2 to 3 GB of RAM
or can some of that space be hard disk space? Perhaps it is also possible
to trade off between time and space so you use 512 MB of space but more
time. I'm sure you know better than I do what the exact tradeoff is.
Finnally, even if you really do need 3 GB of RAM, at today's prices it's
only a couple thousand dollars. In 9 years 2 GB of RAM will probably cost
around $100.
> It took a very large Cray (C90) 10 days and about 2.4 Gbytes
> of memory to handle the matrix. I don't see Crays getting
> significantly faster in the next 9 years. We might see a factor of
> 4 to 5, but I doubt more than that.
>
> With C90 hardware, the matrix for 700 bits would take 7300 days
> and require about 60 Gbytes of memory.
If vector-processing supercomputers are not improving as fast as
workstation CPUs, an obvious question to ask is whether distributed
memory parallel processing supercomputers (Intel has built one with 1.8
TFLOPS compared to 12 GFLOPS of the C90) can be used to solve the matrix
problem. Is there any reason why they can't?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: SQ Announcement
Date: Fri, 03 Sep 1999 23:18:59 GMT
In article <7qpc53$nmk$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <7qo4oi$[EMAIL PROTECTED]>,
>Kostadin Bajalcaliev <[EMAIL PROTECTED]> wrote:
>> I have read Shannon theories, just compare my and your claim:
>>
>> If we need more information than the output carry about them inner state of
>> the generator ...
>>
>> when the output keystream length is longer than the key length, the
>>
>> I do not see any logical conection.
>
>My point is that, if the stream cipher uses a N-bit key, then we
>need only N bits of information about the cipher to deduce the inner
>state, total.
>
>Thus, by looking at N bits of output, we are guaranteed to have enough
>aggregate information to break the cipher (if there are no bounds on
>our computing power).
>
>I believe this means that the "Information Lose" theory does not apply
>to any cipher which generates more than N bits of output: if more than
>N bits of information about the output are available, then the output
>carries enough information about the internal state to break the generator,
>and thus the "Information Lose" theory cannot be applied to the cipher.
>
>Am I interpreting the "Information Lose" theory correctly, or am I confused?
>
IF you ask me Mr Wagner you can't even read C code so if I had to
bet I would say you might be confused. Any way you asked I anwsered.
Also just becasue a steam cipher has N bits in its key. Is
no guarantee that the internal state is such that 10 bits comming
out tell all about the cipher. One could design at least 2 different
ciphers with 10 bit keys such that the first 10 bits out match but
the rest doesn't. Also Shannon's theories have a great deal to do
with information and by extension to encryption. You may have
gotten off in such a narrow area of encryption that you missed the forest
for the trees.
But you're young maybe you'll get better with age.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Schneier/Publsied Algorithms
Date: Sat, 04 Sep 1999 02:01:32 GMT
In article <[EMAIL PROTECTED]>, Eric Lee Green <[EMAIL PROTECTED]>
wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> >top five finalists. Sounds like it's pretty solid to me, though some of the
>> >other AES candidates also have good points that make them worth looking at.
>> >
>> Yeah I've been wondering just what those "good points" are. Will the NSA
>> ever tell us.?
>
>Probably not, but Brian Gladman ( http://www.seven77.demon.co.uk/index.htm ) is
>not shy about what he sees as strengths and weaknesses. I'm sure I can find
>others with their own opinions if I looked.
>
>The biggest unknown is RC6. It is simple and fast -- but is it secure? Given
>RSA's long flirtation with the NSA, that's the billion-dollar question. It's
>hard to believe that something so simple could be secure, but on the other hand
>the principle designers of RC6 do have a lot of experience in the field and
>maybe they're just smarter than the rest of the AES contributors.
>
>I *WILL* point out that design of block ciphers is not exactly brain surgery in
>this day and age. This is a field which is, to a certain extent, mature, unlike
>the field of public key encryption, which is still in its infancy.
>
>-E
I don't think it is that mature yet. Yes will have computers and we can
measure things for certain forms of attack. But we aren't there yet. I still
think it is foolish to use short keys and any block less than the largest
possible.
Most people think I am kidding but when it comes to AES don't any of
the so called creditable crypto people think that it is just a front for
the NSA or are they all so caught up in the excitement they stop
thinking.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 512 bit number factored
Date: 3 Sep 1999 20:30:12 -0400
In article <7qnj7i$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul Rubin)
writes:
>Wei Dai <[EMAIL PROTECTED]> wrote:
>>Now a question of my own: does anyone actually use 512-bit keys for e-
>>commerce, as CWI's press release claims?
As previously noted, this is Shamir's claim, from the abstract
of the TWINKLE paper. OK, so we left off the reference, already.
>Yes, I spend a fair amount of time looking at SSL certificates and
>occasionally still see some 512 bit ones. It's nothing like the 95%
>that CWI claimed, though. More like 10%, from the sample I've looked
A disappointment here. Perhaps Mr. Rubin has forgotten that the
last time he posted on this topic he was replying (supposedly) to
my note clarifying the source 95% estimate?
>at.
>
>You can tell the size of an SSL key by connecting to the web site with
>MS Internet Explorer and clicking on the lock icon, and viewing "key
>exchange" in the SSL properties dialog. This is with MSIE 4.0; I
And this is the evidence for disputing Shamir's assertion? Another
disapointment. We seem to have a differing view of e-commerce, not
to mention commerce. I heard a rumor to the effect that the NY Times
is taking up the topic of this 95% estimate on Monday, perhaps.
On the other topic in this thread, estimating future gnfs
factorizations, perhaps it's useful to recall the relation between
snfs and gnfs. The factorization of the 9th Fermat number, (2^512)+1
first appears in print in 1991, and our report on rsa155 seems likely
to first appear in print in 2000. The current snfs record, which we
set in between our factorizations of RSA140 and RSA155, is the
factorization of (10^211)/9, which appears to have 698-bits. Perhaps
it's plausible someone will be factoring 698-bit "general" numbers
nine years from now? Likewise, perhaps it's interesting to observe
that no one's yet announced a 768-bit snfs factorization.
B. Dodson
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Schneier/Publsied Algorithms
Date: 4 Sep 1999 00:11:43 GMT
Eric Lee Green <[EMAIL PROTECTED]> wrote:
> I *WILL* point out that design of block ciphers is not exactly brain surgery in
> this day and age. This is a field which is, to a certain extent, mature, unlike
> the field of public key encryption, which is still in its infancy.
^^^^^^^^^^^^^^^^^^^
Because we only have a few trapdoor one-way functions ?
Why are block ciphers more mature, if DES and Lucifer are only 5-10 years
older than Diffie-Hellman? are you counting the Enigma and PURPLE
as early block ciphers in the sense they're considered today?
Thanks,
-David
------------------------------
From: [EMAIL PROTECTED] (Wei Dai)
Subject: Re: Re: 512 bit number factored
Date: Fri, 3 Sep 1999 17:52:40 -0700
In article <7qoc6f$80e$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> I think you'll find that a lot of large-volume
> corporate-bank and even inter-bank payment links
> use 512 bit RSA, or even various symmetric
> protocols.
>
> Security is often augmented, though, with other
> techniques or procedures in addition to the
> signature.
Giving the banks and RSADSI (now part of Security Dynamics) the benefit
of doubt, perhaps the 512-bit RSA is used to augment their main security
techniques, and not the other way around. Otherwise RSADSI really should
have done a better job educating the banks. Certainly if RSADSI knew
about the insecurity of 512-bit keys back in 1990, no system implemented
after 1990 should have used 512-bit keys except for low-security
purposes, and nine years should have been enough time to upgrade the
earlier systems.
------------------------------
From: "Greg Keogh" <[EMAIL PROTECTED]>
Subject: More information on TEA available?
Date: Sat, 4 Sep 1999 10:29:31 +1000
Hello from Melbourne Australia,
I've been running a few web searches for various combinations of keywords
related to TEA (Tiny Encryption Algorithm), but the only link that pops-up
is http://www.vader.brad.ac.uk/tea/tea.shtml. This link leads to a few other
useful places, including some source and the original PS files on TEA and
TEAX by Wheeler at al.
I'm somewhat fascinated by the brevity of TEA, it's a dream to code and use.
I'm looking for up-to-date information on the strength of TEA, and any other
new information that might have surfaced about it.
Any links you can recommend?
Cheers,
Greg Keogh [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Alleged NSA backdoor in Windows CryptoAPI
Date: 3 Sep 1999 20:54:30 -0400
[EMAIL PROTECTED] wrote:
> There's no need for an extra key if MS want to allow the US govt to
> break in and add crypto modules to other peoples systems - just get
> MS to sign the compromised module.
And surely, the US govt would agree to a system in which MS would always
be informed as to their actions and have the ability to thwart them.
And MS would agree to a system in which they would have to be complicit in
any legal or illegal govt intrusion and could not plead a lack of
knowledge of a particular case and would want to have the responsibility
of checking each govt module.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Schneier/published algorithms
Date: Sat, 04 Sep 1999 01:56:03 GMT
In article <R1Yz3.5$[EMAIL PROTECTED]>, Forrest Johnson
<[EMAIL PROTECTED]> wrote:
>In article <7qlub3$2vh2$[EMAIL PROTECTED]> SCOTT19U.ZIP_GUY,
>[EMAIL PROTECTED] writes:
>>>Mr. Scott, I'm pleased to see that you are so passionate about people
>>>answering questions asked of them. Perhaps you would be so kind as to
>>>answer the questions I posed to you last week in several different posts.
>>(Diatribe about Bruce Schneier snipped)<
>I didn't ask about Mr. Scheier's reply, I asked about yours.
>>>
>>>In case you've forgotten, you made a claim that you had changed software
>>>in fielded weapons systems. I asked you to identify which systems these
>>>were.
>> Wrong again you use the word "fielded" I stated I work on lterally
>>everything the Navy flew or flys.
>Good, a calibration point. Your hedging on the word "fielded" in order
>to dodge answering the question shows that you do not know the answer to
>the questions I posed.
>
>>>Given your excoriation of Mr. Schneier, I'm sure you are now eager to
>>>avoid the "cast the first stone" stigma.
>> wrong again he cast the first stone so there is nothing to avoid
>Not in your world, maybe. (What color is the sky in there, by the way?)
>You castigated Mr. Schneier for not answering a part of a post. You
>refuse to answer even the most direct questions.
>
>>>
>>>I did ask quite a few questions, so I might have overwhelmed you. I'll
>>>start with one or two easy ones this time and we can go from there:
>>>
>>>1) Did you change software in a fielded weapons system, yes or no?
>>>2) If yes, what weapons system was it?
>>>
>>>TIA
>>
>> The anwser to both question is if the Navy flew and had trouble I most
>>likely worked on it to fix the problems. If this does seat well with you tough
>
>>shit. I don't have to play by your rules. I don't have to kiss your ass and
>>things are not alwasy black and white.
>Now an ad hominem attack. The truth is that you can't answer the
>questions, can you? Your replies would be too easy to disprove, so you
>instead try to divert attention by attacking the integrity of people you
>don't even know.
>
>>My question to you is why do companies
>>like yours seem to give the government such poor qualitiy work for the dollar.
>
>Give an example based on facts. Try to avoid the usual pointless rant
>that seems to make up most of your posts.
>
>>I never understood why it seem to be OK that subcontractors could pretend to
>>do something at great expense and then do it wrong. Where I worked the workers
>>always felt that companies do the work wrong on purpose so that they can bid
>>another contract to suck more money out of the system. We felt like the
> >companies had no real incentive to do the work correctly since they get
>more
>>contracts if they do it bad.
>There's another indication that you were an insignificant cog who never
>came close to really working on the systems you claimed. All defense
>contracts have a program office to report to. Not only do they have
>overseers from the respective branches of the military, but also from
>third party contractors hired for that purpose. The workers you refer
>to were in reality low ranking Naval personnel who were mechanically
>following TO's and, like all servicemen, bitching out of boredom. I
>would ask you to prove your statements with concrete examples, but then,
>you don't have any, do you?
>
>>Yes I remmber your company. But I was wondering
>>was it just that compaines send there worst people to work on gov projects
>>or is it just that good people don't work for defense contractors. This is
>>what it seemed like from the place I worked. But maybe you can enlighten us
>>on the modivations of your company and put the current pr spin on it.
>Ah, another ad hominem attack. Nothing in the world could enlighten you,
>Mr. Scott. You even jump to the conclusion that because my email address
>says Raytheon, I must work there.
>
>>Don't worry my kind of prgrammer no longer works for the Navy. At the time I
> was
>>hired they wanted talented people with very good grades in technical subjects
>>that would get the job down. IF you weren't in the top 10% of your graduating
>>class you could not get in.
>If the timetable you've hinted at in other posts to this group holds true
>(which isn't a solid bet with anything you say), you joined the Navy at a
>time when they were taking people from a much broader range than the
>elite 10% you infer you were in. (What was that, by the way, high
>school?)
>
>You are correct that your type of programmer no longer works for the
>Navy. Deep psychoses seem to have a disqualifying effect.
>
><(more pointless ranting snipped)>
>
>Mr. Scott, you don't answer my questions because you can't. You lied
>about changing the software in fielded weapons systems and you don't have
>the knowledge to cover up those lies with another layer of more plausible
>lies. I've often wondered about your various algorithms; I don't have
>the time nor the energy to analyze them myself, so I chose to gather some
>calibration points about your boasts in something more easily assayed.
>You lied about what you did in the past (and not just incidentally
>accused quite a few people of incompetence, malice, and sabotage), so my
>conclusion is that you are lying about everything else. You might have
>something of value in your code, but I doubt that was intentional -- even
>a blind pig finds an acorn once in a while.
>
>Let me repeat it once more so you won't forget it, Mr. Scott -- you are a
>liar. I know it and all your blustering doesn't hide the fact that you
>know it, too.
What can I say you obviously know much more about how the Navy
Runs things. I just hope the other David A. Scott who did the patent
does not get mad. I was acataully just a janitor in a mental hospital.
Well actaully janitor and part time patient. But clever you found me
out.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
