Cryptography-Digest Digest #743, Volume #10 Wed, 15 Dec 99 07:13:01 EST
Contents:
Re: NAI granted export license for PGP ([EMAIL PROTECTED])
Re: Simple newbie crypto algorithmn (Steven Siew)
Re: How easy would this encryption be to crack? - revised (Steven Siew)
Re: Why no 3des for AES candidacy ("Douglas A. Gwyn")
Re: Why no 3des for AES candidacy ("Douglas A. Gwyn")
Re: Deciphering without knowing the algorithm? ("Douglas A. Gwyn")
Re: security of 3des ?= des ("Douglas A. Gwyn")
Re: Simple newbie crypto algorithmn ("Douglas A. Gwyn")
Re: Deciphering without knowing the algorithm? (Guy Macon)
Re: The Code Book (Guy Macon)
Re: Simple newbie crypto algorithmn ([EMAIL PROTECTED])
Re: Why no 3des for AES candidacy ("Tim Wood")
Re: Why no 3des for AES candidacy ("Tim Wood")
Re: Why no 3des for AES candidacy ("Tim Wood")
Re: Simple newbie crypto algorithmn (Steven Siew)
Re: Simple newbie crypto algorithmn (Steven Siew)
Re: Deciphering without knowing the algorithm? (CLSV)
Re: Simple newbie crypto algorithmn (CLSV)
Re: Simple newbie crypto algorithmn (CLSV)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NAI granted export license for PGP
Date: Wed, 15 Dec 1999 05:27:36 GMT
Mike Andrews <[EMAIL PROTECTED]> wrote:
> : Why haven't we seen any people ranting about "NSA must have solved the
> : discrete log and factoring problems" yet? :)
> They've all been taken away in the black helicopters.
Don't be silly, the NSA uses standard rental car models and colors for
this sort of thing, not an eye-catching black helicoptor. They've all
been taken away in white Plymouth Voyagers. :)
--
Matthew Gauthier <[EMAIL PROTECTED]>
------------------------------
From: Steven Siew <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 16:46:44 +1100
David Wagner wrote:
>
> In article <[EMAIL PROTECTED]>,
> Steven Siew <[EMAIL PROTECTED]> wrote:
> > It's not designed to be fast. It's designed to be secure. Again memory
> > was not considered by me during the design process.
>
> Anyone can design a secure cipher if it's allowed to be big and slow.
> Just use umpteen-DES, or somesuch, with ten copies of D. Scott's favorite
> chaining mode thrown in for good measure (why not?).
>
> The question is, why would anyone use a new, slow algorithm when there
> are others available that are both faster and better understood (=> more
> likely to be secure)?
>
> (Maybe this was intended only for fun, and was not suggested for actual
> use. If so, I apologize; my comments would be irrelevant in such a case.)
Why would anyone uses a new slow algorithmn? People would use it if they
can TRUST it! Please refer to my design criteria.
So I set about proving the above statement. In short I want to
write a crypto program with the following chracteristics:
====> 1. The program must be simple and easy to understand. Thus
the ====> public can see easily the strengths of the encryption.
2. The program must be cryptographically powerful enough not to
be cracked even by using all the computers in the world in
less than a 1000 years.
3. No special knowledge of arcane cryptography is required.
No maths more difficult than that encountered in high
school is required.
Remember I'm aiming at people who is not particularly skilled in
cryptography. People are naturally reluctant to use program which they
don't understand how it works.
Steven Siew
------------------------------
From: Steven Siew <[EMAIL PROTECTED]>
Subject: Re: How easy would this encryption be to crack? - revised
Date: Wed, 15 Dec 1999 17:05:27 +1100
Christoffer Lernö wrote:
> Oops.. saw the flaws myself.
> What about this:
>
> (the class itself holds the two key arrays (byte[]) meKeyA and meKeyB,
> there are also
> two looking variables, meSpin (getting its starting value from meKeyA &
> meKeyB)
> and meSpin2 with starting value 0)
>
> To decode a byte b:
Can you tell us why you think this is a strong crypto algo? Frankly I'm
not good at java, is byte same as char or is it same as unsigned char?
Kindly provide some explaination to your algo. What are your design
criterias? Have you thought about how to crack it yourself? How well
does it defend against known plaintext attacks?
How well does it encrypt a plaintext which differs from another
plaintext by a single bit?
Steven Siew
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 06:48:49 GMT
albert wrote:
> Get a clue, watch some conspiracy movies or something.
That's apparently where you get *your* "information".
Mine is much more reliable.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 06:50:23 GMT
Jim Gillogly wrote:
> Is it also against the law for NSA to decrypt communications that
> were intercepted and handed to them by the FBI working a domestic
> case?
Yes, in most instances.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Date: Wed, 15 Dec 1999 06:54:31 GMT
"SCOTT19U.ZIP_GUY" wrote:
> ... You must be the kind of person who would be the type
> to blow money on expensive crypto equipment from the Swiss where
> it comes preinstalled with a red thread from our friendly NSA so
> they can read the data realtime.
That's not correct. We discussed this before; the accusation
was poorly reported and it was the *reporter's misinterpretation*
of what he had been told by interviewees that you are citing.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: security of 3des ?= des
Date: Wed, 15 Dec 1999 07:08:02 GMT
[EMAIL PROTECTED] wrote:
> i was wondering if it has been shown that 3des is more secure
> than des.
Yes.
> my understanding is that if des transformations form a group
But they don't.
> ... currently nobody knows if des transformations form a group.
Wrong; that was settled years ago.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 07:04:20 GMT
"SCOTT19U.ZIP_GUY" wrote:
> He hopefully can can learn something ...
That remains to be seen. When somebody shows up saying that
any high school kid could do better than the pros, and *his*
example is impossible to break in under 1000 years, etc., he
isn't showing signs of being educable.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Deciphering without knowing the algorithm?
Date: 15 Dec 1999 02:24:02 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tim Tyler) wrote:
>The moral of the story is probably to try to pad your messages with a
>quantity of random garbage (to disguise their real length) after
>encryption.
I would have thought that padding before encrypting would be better.
Your encryption program or your RNG might have a bias that allows an
attacker to figure out where one stops and the other starts.
Besides, changing the letter frequency in the plaintext is a minor
security improvement.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: The Code Book
Date: 15 Dec 1999 02:32:46 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (David Hamer) wrote:
>
>Possibly due to confusion stemming from differences
>between the Gregorian and Julian calendars. While the
>former was officially proclaimed by Pope Gregory XIII in
>1582 and was adopted almost immediately by most European
>Catholic states it was not adopted in England until 1752.
>
>According to my [Gregorian] calendar program 15 October
>1586 fell on a Wednesday.
Also, there were variuos variant calendars in use during
the period. A historian would try to find out which was
in use on that day. It's hard to tell if the passage is
accurate without knowing this.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 09:09:15 GMT
Steven Siew <[EMAIL PROTECTED]> wrote:
> Remember I'm aiming at people who is not particularly skilled in
> cryptography. People are naturally reluctant to use program which they
> don't understand how it works.
Personally, I don't have a warm fuzzy feeling about this statement. In
my experience people use programs they don't understand daily.
--
Matthew Gauthier <[EMAIL PROTECTED]>
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 10:04:17 -0000
Trevor Jackson, III wrote in message <[EMAIL PROTECTED]>...
>Tim Wood wrote:
>
>> Uri Blumenthal wrote in message <[EMAIL PROTECTED]>...
>> >> >> Why isn't 3des being considered for the AES?
>>
>> <snip>
>>
>> >> >One good reason:
>> >> >The AES is supposed to support the following different key sizes:
>> >> > 128, 192, 256
>> >> >
>> >> >You can see why 3-DES, with it's single sized 168 bit key,
>> >> >does not fit in this categorie.
>> >
>> >No I can't - there are ways to securely make key of any length
>> >(from 64 bis to 768*3 bits) for 3DES.
>> >
>> >> of course it's effective key length (strength) is 112bit not 168bit...
>> >
>> >In general - this is incorrect. In particular, it HIGHLY depends
>> >on the key schedule and how the DES engine is employed.
>> >
>> >See "A Better Key Schedule for DES-like Ciphers" paper on
>> ><http://www.research.att.com/~smb/papers/index.html>
>>
>> Why Is it incorrect in general? There are lower strength attacks, but
even
>> then I think it would be incorrect to quote 3DES as 168bits ? It is
>> missleading.
>
>3DES can be used with two or three 56-bit DES keys, producing a 112-bit
flavor
>and a 168-bit flavor.
I was refering to 3DES with three keys (EDE) using Outer-CBC mode.
but...
What is the effective strength of the 112-bit flavor? I think that it is
approximately the same as(or slightly less than) the 168bit flavor.
Disregarding the amount of memory required to implement a meet-in-the-middle
attack on 168bit 3DES? What about using a TEMK system as illustrated on
pp360 of Applied Cryptography?
What about using Padding between encryption in EEE mode, what about the
mode of the triple encryption?
I don't really want (or need) answers I'm just trying to illustrate the
point that 3DES is used to encompass many, effectively different, ciphers.
tim
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 10:28:04 -0000
Uri Blumenthal wrote in message <[EMAIL PROTECTED]>...
>Tim Wood wrote:
>[re: 3DES]
>> >> of course it's effective key length (strength) is 112bit
>> >> not 168bit...
>> >
>> >In general - this is incorrect. In particular, it HIGHLY depends
>> >on the key schedule and how the DES engine is employed.
>> >
>> >See "A Better Key Schedule for DES-like Ciphers" paper on
>> ><http://www.research.att.com/~smb/papers/index.html>
>>
>> Why Is it incorrect in general? There are lower strength attacks,
>> but even then I think it would be incorrect to quote 3DES as
>> 168bits ? It is misleading.
>
>IMHO, because the key schedule you employ will determine
>the "strength" of the engine. [But my definition of
>standard is loose :-]
>
>Since you read the paper - you saw the mod's to the way
>DES is tripled, as well. I claim those too don't invalidate
>the analysis done on "normal" DES and 3DES [see below].
Hang on, just loading it again.
OK, right. I don't think that all of the analysis on DES is invalidated by
any means - in the same way that it is possible to use Differential
Cryptanalysis on several different ciphers. I also see from the paper that
the key generation tecniques can also be applied to IDEA with minor
modification (and other block ciphers in general)
They also suggest Changing the oder of the S-Boxes (in passing) to 24673158.
This in-fact comes for the analysis done on normal DES and 3DES.
I also see that the new key-schedule eliminates weak keys from the cipher.
And to use it DES does not necessarily have to be tripled, I understand that
they suggest 32 round DES (not 48-round triple DES) although mostly it is
personal choice and "best-for-situation".
>
>> Also doesn't DES include the Key schedule?
>
>Sure it does - and it's quite independent from the rest of
>the mechanism. Biham and Shamir took the trouble to explore
>what DES looks like (strength-wise) with modified key schedule,
>and still called it DES (one mod was using independent subkeys).
>Because they understood how loose the ties are between the crypto
>engine and the key schedule engine (unlike ANY other ties
>between the blocks of a crypto engine, for example).
Mu understanding from Appendix A was that they had actually renamed it to
DES-SK/n. Am I inncorect?
So DES-SK/32 (better double-DES) or triple DES improvment DES-SK/48. are
being suggested?
>
>Splitting thin hairs, if you modify the key schedule one bit,
>you're not "DES" any more.
Correct.
>In crypto research however, the goal is not to comply with every
>dot of the existing ANSI document(s), but to preserve (to keep valid
>and to build upon) as much of the analysis already performed on the
>existing algorithm(s) as possible.
Correct
>This was the purpose of the
>design suggested in the above paper: to keep valid the results
>of 20+ years of analysis AND at the same time increase the
>strength of the algorithm, with MINIMAL invasion.
>IMHO it was accomplished.
It was indeed, I am Impressed.
>
>In other words, the modified algorithm is DES because all the
>ANALYSIS performed on DES is still valid and applicable.
But, some of the analysis of DES is applicable to block ciphers in
general.... I think that for managibilitys sake, DES and 3DES should be
reserved as names for the relevant standards. If people were allowed to
significantly modify DES and still call it DES snake oil andvertising would
simply get worse.
Also from a knowledge managment Point of view, having lots of schemes with
the same name starts to detracted from the disscusion of ther merits ;-).
Tim
>
>> Not that it really matters that much, since 3DES is not a candidate.
>
>Of course (:-). A pur technical discussion on the qualities and
>properties of an algorithm.
>--
>Regards,
>Uri
>-=-=-==-=-=-
><Disclaimer>
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 10:34:13 -0000
Uri Blumenthal wrote in message <[EMAIL PROTECTED]>...
<snip>
>Regardless, touching S-boxes you do touch the "heart" of
>the engine, and THEN it's questionable how much of the
>existing analysis of the "old" DES still applies. Why
>do you think we left the S-boxes alone? (:-)
I'm not sure that is true. See
http://www.research.att.com/~smb/papers/index.html
"A Better Key Schedule for DES-like Ciphers" where a reference is made to
papers on improving the S-box schedual.
Specificaly a reference to,
Mitsuru Matsui. On Correlation Between the Order of S-boxes and the Strength
of DES. In Proceed-ings of EUROCRYPT’94.
(an analysis which I have no real knowledge of unfortunatly)
Tim
>--
>Regards,
>Uri
>-=-=-==-=-=-
><Disclaimer>
------------------------------
From: Steven Siew <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 21:56:26 +1100
[EMAIL PROTECTED] wrote:
>
> Steven Siew <[EMAIL PROTECTED]> wrote:
> > Remember I'm aiming at people who is not particularly skilled in
> > cryptography. People are naturally reluctant to use program which they
> > don't understand how it works.
>
> Personally, I don't have a warm fuzzy feeling about this statement. In
> my experience people use programs they don't understand daily.
>
> --
> Matthew Gauthier <[EMAIL PROTECTED]>
Sure! But is it by choice? If you have two crypto programs, one which
you can understand how it works and another which you cannot make head
or tails of. Which would you rather use if your life depends on it?
Steven Siew.
------------------------------
From: Steven Siew <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 22:09:26 +1100
"Douglas A. Gwyn" wrote:
>
> "SCOTT19U.ZIP_GUY" wrote:
> > He hopefully can can learn something ...
>
> That remains to be seen. When somebody shows up saying that
> any high school kid could do better than the pros, and *his*
> example is impossible to break in under 1000 years, etc., he
> isn't showing signs of being educable.
There is no physical law that says that it is impossible for anybody
with basic English skills to type up on a computer a novel of a literate
value equivalent to the novel War and Peace.
There is no physical law that says that it is impossible for a high
school kid to come up with a strong crypto algorithmn.
I must admit it's highly unlikely to happen. But can it do done?
That's what driving me, is it possible in theory if not in practice. Is
it possible using simple concepts to build up a very strong crypto
algorithmn.
Everybody seems to be obsessive about efficiency, but the be all and
end all of crypto algorithmns is security. A highly efficient but
insecure algorithmn is worse than useless, it gives you false security.
If you think there is something wrong with my algorithmn security
wise, tell me so that I can improve on it.
Steven Siew
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Date: Wed, 15 Dec 1999 11:18:48 +0000
"SCOTT19U.ZIP_GUY" wrote:
> [...] If you see an algorithm that is adavertised as throughly studied by the
> best cryptoheads in the world. Then you can be pretty dam sure it is weak.
> Strong crypto is not allowed. You can not export it since if you could the
> NSA would not be allowed to read your mail and they ain't about to let
> that happen.
Not all of "the best cryptoheads in the world" live in the US.
Furthermore as I understand it the US export regulations are only
valid for binaries. You still may export knowledge. And that is
what happens on this newsgroup.
> By the way the Crypto Gods have declared scott19u weak and easy to break
> but the bastards keep making excuses why they can't break it. Mr Wagner who
> publicly bragged on this forum that his latest slide attack would be the death
> of my method was full of shit.
Breaking a cipher costs effort. So if someone is willing to
take time to look into a design on this forum it is a favour.
Think about it.
Regards,
Coen Visser
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 11:48:07 +0000
Steven Siew wrote:
> David Wagner wrote:
> > The question is, why would anyone use a new, slow algorithm when there
> > are others available that are both faster and better understood (=> more
> Why would anyone uses a new slow algorithmn? People would use it if they
> can TRUST it! Please refer to my design criteria.
No, people would use it as long as they *believe* they
can trust it. Whether this believe is true or false.
> So I set about proving the above statement. In short I want to
> write a crypto program with the following chracteristics:
> ====> 1. The program must be simple and easy to understand.
So far so good. The algorithm is not very complex.
> Thus the ====> public can see easily the strengths of the encryption.
This does not mean it is strong. Furthermore you have to
define your public. I don't think most grandmothers can
even read one line of C (I said most, some probably can).
> 2. The program must be cryptographically powerful enough not to
> be cracked even by using all the computers in the world in
> less than a 1000 years.
This is a desired characteristic, although a bit vague.
Now provide some prove. E.g. use a weakened version of your
algorithm and break it. Then prove that this is impossible
for the stronger version.
> 3. No special knowledge of arcane cryptography is required.
> No maths more difficult than that encountered in high
> school is required.
Well this could be your most important argument.
If we may not use math more difficult than high school level for
cryptanalysis you may have a case :-) Please take notice of the
arguments presented by the people in this newsgroup.
> Remember I'm aiming at people who is not particularly skilled in
> cryptography. People are naturally reluctant to use program which they
> don't understand how it works.
This is not alt.crypt.marketing.
Don't get me wrong, I think it is good to have new people with
new ideas. If you really are interested in cryptography take
some interest in its theory. Given enough effort you can probably
break your own algorithm and have lots of fun doing it.
Regards,
Coen Visser
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Simple newbie crypto algorithmn
Date: Wed, 15 Dec 1999 11:57:09 +0000
Steven Siew wrote:
> Everybody seems to be obsessive about efficiency, but the be all and
> end all of crypto algorithmns is security.
That is because all designers of reasonable ciphers
publish prove (done by themselves) that their algorithms
are resistant against the strongest attacks known
at this time (e.g. lineair cryptanalysis, absence of
or extremely few weak keys, good statistical randomness).
So having done all that they continue to talk about
efficiency.
Regards,
Coen Visser
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
