Cryptography-Digest Digest #747, Volume #10 Thu, 16 Dec 99 00:13:02 EST
Contents:
Re: Deciphering without knowing the algorithm? (CLSV)
Re: which is safer for creating session keys (Hanna Pehrson)
Re: Non-linear PRNGs (Hanna Pehrson)
Re: Non-linear PRNGs (Tim Tyler)
Re: Non-linear PRNGs (David Wagner)
Re: Prime series instead (Re: Pi) (Matthew Montchalin)
Re: Deciphering without knowing the algorithm? (SCOTT19U.ZIP_GUY)
Invitation to our homepage ("(ÁÖ)»ó¾Æ´º¸Åƽ")
"Day of Deceit" by Robert Stinnett (Anonymous)
Re: Prime series instead (Re: Pi) ("Trevor Jackson, III")
Re: Why no 3des for AES candidacy (Uri Blumenthal)
Re: Prime series instead (Re: Pi) (Matthew Montchalin)
Re: Off topic -- 4 year old ("r.e.s.")
Re: Scott's Screaming Security Method (lobsterboy)
----------------------------------------------------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Deciphering without knowing the algorithm?
Date: Wed, 15 Dec 1999 23:18:34 +0000
"SCOTT19U.ZIP_GUY" wrote:
> [...] Yes I know not all the good cryptoheads live in the US
> but what makes you think the NSA would not kill or silence
> them if they are precieved as a threat. I though just this last
> year there was a strange death of a European expert. Do
> you really thing the NSA would let some one in Europe
> make real progress who was not controlled directly by
> them.
Well I wasn't talking specific of Europe. Asia has many
bright cryptographers, they can also be found in the Middle East,
maybe some are in Africa and South Amerika. The former Soviet Union
probably has more than we can count.
Some are working for agencies like NSA (i.e. out of reach),
many of them work for universities and companies. Their
safety lies in their numbers. There are just too much to
threaten, bribe or kill. But this kind of discussion belongs
to alt.conspiracy.
> Don't forget even the Swiss are in bed with the NSA
> you do remember how they modifed the swiss crypto equipment
> so as to help in spying.
I have heard the rumors. But remember that Crypto AG
can not really be considered a member of the open cryptographic
community. They use many (company)secret algorithms.
> >Breaking a cipher costs effort. So if someone is willing to
> >take time to look into a design on this forum it is a favour.
> Yes I did consider it a favor. And I understanf Mr BS and
> friends have looked at my stuff but don't have the balls to say
> much about it. I think it is to embarassing for them.
Well, maybe your cipher is hard to understand and/or break.
This does not mean per se that the security is as high as you
claim it is. Most attention these days goes to the AES contest
which is the most important cryptographic event
of this moment. So it is logical to see more cryptanalysis
on the contestants than on your (probably complex) cipher.
Regards,
Coen Visser
------------------------------
From: Hanna Pehrson <[EMAIL PROTECTED]>
Subject: Re: which is safer for creating session keys
Date: Thu, 16 Dec 1999 00:55:36 +0100
Tom St Denis wrote:
> Which is safer hashing KEY+SALT or SALT+KEY? I meant the actual order
> in which the data is stored. [or does it matter at all]. I am using
> SHA-1 as the hash btw.
>
> I ask this because I have been fiddling with Peekboo which uses
> KEY+SALT format, and I wonder if that is ok. Normally if KEY+SALT were
> under 256 bits it wouldn't matter with sha since it expands them with
> thourough mixing, however in peekboo I hash the hexidecimal copy of
> both so it's actually 576 bits of data being hashed.
This paper discusses some vulnerabilities in MACs built on hash functions,
in particular analysis of using keys as prefix, suffix and envelope for
the message;
B. Preneel and P. van Oorschot, MDx-MAC and building fast MACs from hash
functions,
ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/preneel/mdxmac_crypto95.ps.gz
/Pell
------------------------------
From: Hanna Pehrson <[EMAIL PROTECTED]>
Subject: Re: Non-linear PRNGs
Date: Thu, 16 Dec 1999 01:32:07 +0100
David Wagner wrote:
> In article <[EMAIL PROTECTED]>, Pelle Evensen <[EMAIL PROTECTED]> wrote:
> > Side note, has anyone studied the cryptographic properties of multiply with
> > carry generators?
>
> What cryptographic properties?
Sorry for being vague. In particular, how easy it would be to deduce the
state of a generator of this kind, based on its output?
All multiplication and addition is mod 2^w.
h = w / 2
m[] are constants satisfying m[x] * 2^h -1 is prime.
s[] is the state of the generator
m[] and s[] are the same size
For each output of h bits, do
c' = m[x-1] * s[x-1] + m[x-2] * s[x-2] + m[x-...] * s[x-...] +
c / 2^h
s[x] = c' / 2^h
output = s[x]
This assuming m[] is kept secret.
/Pell
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Non-linear PRNGs
Reply-To: [EMAIL PROTECTED]
Date: Thu, 16 Dec 1999 00:20:46 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : Let f(x) = a_0 + a_1*x^(1) + a_2*x^(2) + ..... + a_n*x^(n)
:> : where x^(k) = x(x-1)(x-2)...(x-k+1).
:> : Then the generator u(i) = f(u(i-1)) mod 2^m (m>2) has period
:> : 2^m if and only if the following congruences hold:
:> : a_0 = 1 mod 2, a_1 = 1 mod 4, a_2 = 0 mod 2, a_3 = 0 mod 4.
[...]
:> : Question: Has anyone studied such PRNGs from cryptological point
:> : of view? I surmise that they are extremely hard for analysis even
:> : with moderate values of n.
:>
:> The reference I was thinking of was from RFC1750:
:>
:> Not only have linear congruent generators been broken, but techniques
:> are now known for breaking all polynomial congruent generators
:> [KRAWCZYK].
:>
:> [KRAWCZYK]: How to Predict Congruential Generators, Journal
:> of Algorithms, V. 13, N. 4, December 1992, H. Krawczyk.
:>
:> http://www.cis.ohio-state.edu/htbin/rfc/rfc1750.html
:> http://blitzen.canberra.edu.au/RFC/rfc/rfc1750.html
:>
:> I /believe/ the generator proposed above *is* simply a polynomial
:> congruent generator - if you expand out the "^" operations into their
:> component parts.
: You don't have to /believe/. Isn't it at first look obvious to you
: that f(x) IS polynomial? [...]
Yes, but I was concerned that - since it was not presented in the usual
form for a polynomial generator - this might not be obvious to you - and
I was trying to raise the matter politely.
: Isn't BBS based on a polynomial (a quadratic) and hence according to
: the above broken?
There is a *big* difference between BBS and a polynomial congruential
generator. In the BBS you only give out the bottom few bits. If you give
out much more than log2(m) bits (where "m" is the modulus), BBS's security
is toast. In your proposed generator, *all* the bits are on display. It
is this form that the Hugo Krawczyk paper applies to.
I observe that - for your proposed generator - giving out only the bottom
few bits is not an option.
You will find that - at *best* - the bottom bit has a period of two - i.e.
at its *most* random, it goes 1010101010101010101010101010101010... :-(
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Generalisations always turn out to be false.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Non-linear PRNGs
Date: 15 Dec 1999 16:44:51 -0800
In article <[EMAIL PROTECTED]>,
Hanna Pehrson <[EMAIL PROTECTED]> wrote:
> Sorry for being vague. In particular, how easy it would be to deduce the
> state of a generator of this kind, based on its output?
I don't know.
But I believe there was a stream cipher called JEROBOAM proposed
at a recent FSE (FSE'99? FSE'98) that used several of these beasts
combined in complicated ways. You might look to that paper to see
if they talk about the security of using just one on its own.
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Prime series instead (Re: Pi)
Date: Wed, 15 Dec 1999 16:50:00 -0800
On Wed, 15 Dec 1999, Erik Max Francis wrote:
| Matthew Montchalin wrote:
|
| > Is there any practical value to the number derived from using primes
| > instead of odds in that formula? E.g.,
| >
| > N = 4(1 - 1/3 + 1/5 - 1/7 + 1/11 - 1/13 + 1/17 ... )
|
| You forgot one.
But isn't '2' a prime by royal dubbing?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Deciphering without knowing the algorithm?
Date: Thu, 16 Dec 1999 02:12:32 GMT
In article <[EMAIL PROTECTED]>, CLSV <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>
>> [...] Yes I know not all the good cryptoheads live in the US
>> but what makes you think the NSA would not kill or silence
>> them if they are precieved as a threat. I though just this last
>> year there was a strange death of a European expert. Do
>> you really thing the NSA would let some one in Europe
>> make real progress who was not controlled directly by
>> them.
>
>Well I wasn't talking specific of Europe. Asia has many
>bright cryptographers, they can also be found in the Middle East,
>maybe some are in Africa and South Amerika. The former Soviet Union
>probably has more than we can count.
>Some are working for agencies like NSA (i.e. out of reach),
>many of them work for universities and companies. Their
>safety lies in their numbers. There are just too much to
>threaten, bribe or kill. But this kind of discussion belongs
>to alt.conspiracy.
>
>> Don't forget even the Swiss are in bed with the NSA
>> you do remember how they modifed the swiss crypto equipment
>> so as to help in spying.
>
>I have heard the rumors. But remember that Crypto AG
>can not really be considered a member of the open cryptographic
>community. They use many (company)secret algorithms.
>
>> >Breaking a cipher costs effort. So if someone is willing to
>> >take time to look into a design on this forum it is a favour.
>
>> Yes I did consider it a favor. And I understanf Mr BS and
>> friends have looked at my stuff but don't have the balls to say
>> much about it. I think it is to embarassing for them.
>
>Well, maybe your cipher is hard to understand and/or break.
>This does not mean per se that the security is as high as you
>claim it is. Most attention these days goes to the AES contest
>which is the most important cryptographic event
>of this moment. So it is logical to see more cryptanalysis
>on the contestants than on your (probably complex) cipher.
>
Actually my cipher is very very simple. It allows
one to pick any single cycle S-box for a 19 x 19 use.
That fact alone requires it to have over a million bytes key.
Then it is just repeated "wrapped PCBC" chaining with
a first and last pass that is nothing more than an XOR
of the path through the S-box. Actually it is quite simple.
It just can use a very large key if one has a favorite Single
Cycle S-box the reason they really hate it is that it is
stronger than the AES crap and it allows one to easily
do "all or nothing" type of encryption on any long
file with out chainging its length.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: "(ÁÖ)»ó¾Æ´º¸Åƽ" <[EMAIL PROTECTED]>
Subject: Invitation to our homepage
Date: Thu, 16 Dec 1999 10:57:05 -0000
DEAR SIR,
WE ARE PLEASED TO VISIT YOUR HOME PAGE.
WE ARE ALSO PLEASED TO INTRODUCE OURSELVES AS LEADING MANUFACTURES
AND EXPORTERS OF PNEUMATIC EQUIPMENTS IN SOUTH KOREA.
WE EXPORT OUR PRODUCTS TO OVER 40 COUNTRIES IN THE WORLD.
WE HOPE YOU TO VISIT OUR INTER-NET HOME PAGE THROUGH THE FOLLOWING
ADDRESS.
http://www.sang-a.com/
IF YOU CLICK OUR HOME PAGE, WE ARE SURE THAT YOU CAN GET A GOOD
INFORMATION ABOUT OUR PRODUCT.
THANK YOU FOR YOUR KIND ATTENTION.
SANG-A PNEUMATIC CO., LTD
------------------------------
Date: Wed, 15 Dec 1999 19:42:24 -0700
From: Anonymous <[EMAIL PROTECTED]>
Subject: "Day of Deceit" by Robert Stinnett
Crossposted-To: alt.individualism
Has anyone here read "Day of Deceit," Robert Stinnett's new book
supporting Pearl Harbor revisionism? The reviews I've read so far
tend to be the usual suspects voicing opinions that fall along
predictable lines, but the book presents a wealth of new data relating
to pre-war American cryptanalysis and traffic analysis capabilities.
I'm wondering if anyone with a more general interest in the history of
crpyto (and maybe less of their ego tied up in the outcome of the
debate over the truth of the revisionist thesis) has any comments to
offer on this material.
------------------------------
Date: Wed, 15 Dec 1999 23:11:15 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Prime series instead (Re: Pi)
Matthew Montchalin wrote:
> On Wed, 15 Dec 1999, Erik Max Francis wrote:
>
> | Matthew Montchalin wrote:
> |
> | > Is there any practical value to the number derived from using primes
> | > instead of odds in that formula? E.g.,
> | >
> | > N = 4(1 - 1/3 + 1/5 - 1/7 + 1/11 - 1/13 + 1/17 ... )
> |
> | You forgot one.
>
> But isn't '2' a prime by royal dubbing?
Yes, the oddest of all. (Knuth?)
------------------------------
From: Uri Blumenthal <[EMAIL PROTECTED]>
Subject: Re: Why no 3des for AES candidacy
Date: Wed, 15 Dec 1999 23:47:16 -0500
Reply-To: [EMAIL PROTECTED]
Tim Wood wrote:
> >................crypto rule of thumb: if you change
> >anything in the algorithm, the analysis *results* obtained for
> >the original one, no longer apply to the modified one - i.e.
> >if the original cipher was found to have strength of 2^N,
> >the modification changed it to ???. [the fear is that while
> >improving resistanec against attack A, it became weaker against
> >another attack B.]
>
> I am, but the methods still apply. I do take your point about not
> having to re-do the analysis by not changing the 'engine' though.
(:-)
And it's not as much the technical issue, as the image:
"they" have ben studying "X" for N years,
now you've touched "X" (no matter how much)
and it is "different" now.
But there is *some* technical validity behind this too (:-).
> >No we didn't. That's from different papers/proposals by either
> >Eli Biham, or Matsui-san. We wanted to preserve ALL of the
> >crypto engine, because changing the order of S-boxes invalidates
> >the results of analysis - it's now an effectively new cipher engine,
> >whose resistance has to be analyzed from scratch (which they did,
> >of course).
>
> Sorry, I intepreded it as a suggestion rather than a reference
>
> "The same paper also showed that S-boxes order '24673158' is immune
> to both differential and linear attack. Combining this with our key
> schedule and a generating key length of at least 64 bits again
> results in a practically unbreakable cipher."
>
> I think however that it was due to me adding too much significance
> to this bit when I was reading it.
Yeah... <wiping the egg off my face :->
Seriously, the DES-SK/n algorithm with (n>=32) appears
practically unbreakable, as far as we could see - so no
need to improve the engine at all [and risk losing the
benefits of long years of resistance to attacks].
> >It is not exactly a "personal choice" - but a computation of the
> >strength accomplished. I.e. one shot in the head is usually enough.
> >Two to five will make it really certain. 344 shots do seem rather
> >excessive.
>
> Sorry, very bad wording on my part, "implementation and risk-model
> dependant" would be better. *grin*
(:-)
Seriously - look at it: 32 iterations of the engine wipe out
any useful probabilities in either differential or linear
attack. No key schedule attack is posible because there
is no user access to the subkey bits and thus no way
to manipulate those bits in any predictable fashion
(so no related-key attack etc). No brute force is
feasible, because key schedule takes forever (:-).
So why bother scrambling it more, when nothing is
added by extra spins of the wheel?
[Oh, I forgot rubber-hose cryptanalysis :-]
> >Unfortunately, there is one attack nothing can defend against:
> >collecting a dictionary. This dooms ALL 64-bit block ciphers.
> >SO AES begins 128-bit block cipher standard, and DES-SK loses
> >its relevance as a practical cipher (unles you don't expect to
> >produce enough ciphertext for this attack to be a concern), and
> >becomes a mere demonstration of what a strong key schedule can
> >do and how it could be computed...
>
> Yes, I understand that some analysis has been done on using
> triple-DES to effectively create a 128bit-block, but it only
> weakened the cipher.
Don't recall, but won't be susprised.
> >The *analysis* is certainly applicable. The *results* - not exactly.
> >I mean - a cipher that fended off attacks for 20 years, is somewhat
> >more likely to resist attacks yet to come, than a cipher which has
> >been around (analysed) only for two-three years... Mentality...
>
> Point taken.
(:-)
--
Regards,
Uri
-=-=-==-=-=-
<Disclaimer>
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Prime series instead (Re: Pi)
Date: Wed, 15 Dec 1999 20:44:11 -0800
On Wed, 15 Dec 1999, Trevor Jackson, III wrote:
| Matthew Montchalin wrote:
| > On Wed, 15 Dec 1999, Erik Max Francis wrote:
| > | Matthew Montchalin wrote:
| > | > Is there any practical value to the number derived from using primes
| > | > instead of odds in that formula? E.g.,
| > | >
| > | > N = 4(1 - 1/3 + 1/5 - 1/7 + 1/11 - 1/13 + 1/17 ... )
| > |
| > | You forgot one.
| >
| > But isn't '2' a prime by royal dubbing?
|
| Yes, the oddest of all. (Knuth?)
Okay, either way then.
Does the formula produce an interesting number of some kind, either by
adding two to the final sum, or subtracting two? (Although all numbers
may be interesting in some way or other, are there any practical uses for
this particular one?)
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: Off topic -- 4 year old
Date: Wed, 15 Dec 1999 20:58:58 -0800
This looks to me like a re-run of the hoax known
as "the Internet's most prevalent thought virus".
See
http://www.web.co.za/arthur/craig01b.htm
--
r.e.s.
[EMAIL PROTECTED]
"Sukhoi2000" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
: It is the little things in life that mean so much. If you can, please
have
: everyone you know send a Christmas card to:
:
: Miss Paige Lane
: 4538 S. Creek Rd.
: Cookeville, TN 38506-7606
:
: She is 4 years old and is dying from cancer, and the only thing she wants
for
: Christmas is cards.
:
: Thanks.
------------------------------
From: lobsterboy <[EMAIL PROTECTED]>
Crossposted-To: comp.compression,alt.security
Subject: Re: Scott's Screaming Security Method
Date: Wed, 15 Dec 1999 21:02:59 -0700
Okra Meinly wrote:
>
> [EMAIL PROTECTED] (wtshaw) wrote:
>
> >Probably helps if you have lots of hair too, but since Scott is a bit shy
> >on that department, I figure that he is not the intended one to do the
> >screaming. It's a catchy name, however.
>
> The name reminds me of a failed snack food called "Screaming Yellow
> Zonkers". Remember those?
They still exist!
http://www.candycenter.com/lincolnsnacks.asp
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
