Cryptography-Digest Digest #436, Volume #11 Tue, 28 Mar 00 11:13:01 EST
Contents:
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" ("Douglas A.
Gwyn")
Re: A good encryption program? ("Andrej Madliak")
Re: A good encryption program? ("Gordon LaVere")
Re: ecc equation (Paul Rubin)
Re: ecc equation (Bob Silverman)
Re: ecc equation (Bob Silverman)
Re: Re-seeding PRNG's in central key distribution systems (Mark Currie)
FSE2000 Schedule (Bruce Schneier)
Re: Download Random Number Generator from Ciphile Software (Taneli Huuskonen)
Re: Examining random() functions (Scott Nelson)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
Date: Tue, 28 Mar 2000 12:10:55 GMT
Anonymous wrote:
> > What this means in effect, no one will want to use encryption in
> > case they forget their password and end up in jail.
> Which is precisely their goal, of course.
> ...
> The best slave is one who puts on his own shackles. Your country has a
> bad case of the liberal-socialist disease going back decades. The country
> formerly known as the USA also has this disease but for not as long so
> the decay isn't as pronounced. Yet.
It's farther gone than you seem to realize. Consider the close
analogy with the so-called "smart gun" legislation that gun haters
have recently proposed. Maryland is on the brink of passing a law
requiring such technology (which has not been developed beyond the
laboratory stage yet) in every handgun sold within a few years.
The obvious goal, which of course differs from the stated goal, is
simply to prevent sales, or failing that, to reduce the positive
value of guns to the point that people won't want them any more.
One wonders whether the politicians in power actually think that
their constituency are the career criminals; they sure act like it.
------------------------------
From: "Andrej Madliak" <[EMAIL PROTECTED]>
Subject: Re: A good encryption program?
Date: Tue, 28 Mar 2000 13:56:33 +0200
Hi!
You don't know about it yet, but you're looking for (freeware) SCRAMDISK
available from http://www.scramdisk.clara.net/.
It does't work with Win NT yet (the future version will be) and has a
limited FAT32 suport (the beta version of v3 which I have fully supports
FAT32); it doesn't work with UNIX/Linux either.
For Linux there's a software called BestCrypt (http://www.jetico.com/),
but I don't know which algorithms it's using.
Hope this hepls,
Andrej
JohnNY wrote in message ...
>I hope I am posting this question to the right group. If not, would
>you please direct me to it?
>
>I am looking for a good encryption program (freeware or shareware)
>which will encrypt both folders and a zip disk. Ideally, it would
>offer choices like Blowfish and IDEA.
>
>Sincere thanks for any help you are able to give.
>
>John
------------------------------
From: "Gordon LaVere" <[EMAIL PROTECTED]>
Subject: Re: A good encryption program?
Date: Tue, 28 Mar 2000 12:24:23 GMT
You might try Blowfish Advanced CS here is the site. http://come.to/hahn
JohnNY <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I hope I am posting this question to the right group. If not, would
> you please direct me to it?
>
> I am looking for a good encryption program (freeware or shareware)
> which will encrypt both folders and a zip disk. Ideally, it would
> offer choices like Blowfish and IDEA.
>
> Sincere thanks for any help you are able to give.
>
> John
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: ecc equation
Date: 28 Mar 2000 13:09:48 GMT
In article <smWC4.69430$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>> Firstly, I do not believe that you will be able to implement
>> even Schoof's original algorithm with the level of mathematics
>> knowledge that you currently seem to have.
>
>No offense, but f@@@ you. Who are you to say I am a know-nothing? In my
>current library I have implemented RSA, several symmetric ciphers, a
>secure-PRNG, etc... So don't say I don't know what I am doing.
No offense to you either, but RSA/symmetric cipher/PRNG is to Schoof's
algorithm as bicycle is to space shuttle (well almost).
>Second who are you to say what I should or should not be using my time for.
>Even if I don't get the math right away I would still want to see it. You
>know there was a time when I didn't understand RSA or even the simplest
>large number math...
Get to understand Schoof's algorithm and you'll learn a lot of math,
that's for sure. Not that there's anything wrong with that.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: ecc equation
Date: Tue, 28 Mar 2000 14:55:19 GMT
In article <smWC4.69430$[EMAIL PROTECTED]>,
"Tom St Denis" <[EMAIL PROTECTED]> wrote:
>
> lordcow77 <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > >Well that's just the thing I can't find any descriptions of any
> > >of the algorithms online. Even if I don't understand the
> > >algorithm I may be able to implement it.
> >
> > Firstly, I do not believe that you will be able to implement
> > even Schoof's original algorithm with the level of mathematics
> > knowledge that you currently seem to have. There is some heavy
> > algorithm wizardry to make the algorithm run at even a
> > reasonable speed and the math used is essentially on the cutting
> > edge of research in that field. Secondly, even if you were able
> > to produce a working implementation, it would not really be
> > productive as others have already done the same. Thirdly, you
> > will gain practically nothing by such an exercise after spending
> > many hours that could be far more productively spent doing other
> > activities.
>
> No offense, but f@@@ you. Who are you to say I am a know-nothing?
I want to be gentle about this. I really do.
(1) He did not say you are a know-nothing. You are a high school
student, right? He said you would be unable to implement Schoof's
algorithm with your level of math knowledge; a different thing
entirely.
(2) There are no cookbook descriptions of Schoof's algorithm and
none of the Atkins/Elkies extensions which make it practical.
(3) The level of math required is beyond that of most with a B.S.
degree in math; one needs to know a good deal of abstract algebra (to
understand isogenies), know the difference between local and global
fields, understand p-adic arithmetic, algebraic number theory, etc.
etc. The math is quite deep.
The prior poster was not trying to be insulting; he was being HONEST.
May I suggest you get hold of the following:
H. Cohen
A Course in Computational ALgebraic Number Theory, Springer-Verlag
This book is SUPERB.
If you can read this, you can probably handle Schoof's algorithm.
*I* have never implemented Schoof's algorithm (never found the time),
and it would take me quite a bit of work to learn the details.
In my
> current library I have implemented RSA, several symmetric ciphers, a
> secure-PRNG, etc...
All of these involve very elementary mathematics and number theory.
> So don't say I don't know what I am doing.
I'm sorry, but *I* could not possibly have implemented Schoof's
algorithm even after I finished my undergrad degree in math.
The simple fact is that you are not even aware of the level of math
involved. Others are not trying to belittle you. You need to study
math for a few more years before you even become aware of what it is
that you don't currently know.
>
> Second who are you to say what I should or should not be using my
time for.
I agree with you here.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: ecc equation
Date: Tue, 28 Mar 2000 15:23:25 GMT
In article <smWC4.69430$[EMAIL PROTECTED]>,
"Tom St Denis" <[EMAIL PROTECTED]> wrote:
>
> lordcow77 <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > >Well that's just the thing I can't find any descriptions of any
> > >of the algorithms online. Even if I don't understand the
> > >algorithm I may be able to implement it.
> >
> > Firstly, I do not believe that you will be able to implement
> > even Schoof's original algorithm with the level of mathematics
> > knowledge that you currently seem to have. There is some heavy
> > algorithm wizardry to make the algorithm run at even a
> > reasonable speed and the math used is essentially on the cutting
> > edge of research in that field. Secondly, even if you were able
> > to produce a working implementation, it would not really be
> > productive as others have already done the same. Thirdly, you
> > will gain practically nothing by such an exercise after spending
> > many hours that could be far more productively spent doing other
> > activities.
>
> No offense, but f@@@ you. Who are you to say I am a know-nothing?
I want to be gentle about this. I really do.
(1) He did not say you are a know-nothing. You are a high school
student, right? He said you would be unable to implement Schoof's
algorithm with your level of math knowledge; a different thing
entirely.
(2) There are no cookbook descriptions of Schoof's algorithm and
none of the Atkins/Elkies extensions which make it practical.
(3) The level of math required is beyond that of most with a B.S.
degree in math; one needs to know a good deal of abstract algebra (to
understand isogenies), know the difference between local and global
fields, understand p-adic arithmetic, algebraic number theory, etc.
etc. The math is quite deep.
The prior poster was not trying to be insulting; he was being HONEST.
May I suggest you get hold of the following:
H. Cohen
A Course in Computational ALgebraic Number Theory, Springer-Verlag
This book is SUPERB.
If you can read this, you can probably handle Schoof's algorithm.
*I* have never implemented Schoof's algorithm (never found the time),
and it would take me quite a bit of work to learn the details.
In my
> current library I have implemented RSA, several symmetric ciphers, a
> secure-PRNG, etc...
All of these involve very elementary mathematics and number theory.
> So don't say I don't know what I am doing.
I'm sorry, but *I* could not possibly have implemented Schoof's
algorithm even after I finished my undergrad degree in math.
The simple fact is that you are not even aware of the level of math
involved. Others are not trying to belittle you. You need to study
math for a few more years before you even become aware of what it is
that you don't currently know.
>
> Second who are you to say what I should or should not be using my
time for.
I agree with you here.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Re: Re-seeding PRNG's in central key distribution systems
From: [EMAIL PROTECTED] (Mark Currie)
Date: 28 Mar 2000 15:29:55 GMT
In article <8bp7ue$k9d$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>Tim Tyler wrote:
>> Bryan Olson wrote:
>
>> : Correct, and the requirements on PRNGs for key generation
>> : are even stronger. Specifically, even given the state
>> : of the PRNG, one should not be able to determine previous
>> : outputs. This is not usually a requirement on stream-cipher
>> : PRNGs, and thus a strong stream cipher is not automatically
>> : good for key generation. One should not, for example, use
>> : RC4.
>>
>> I find your post difficult to interpret.
>>
>> You say "given the state of the PRNG".
>>
>> You mean the *entire* internal state?
>
>One should not be able to determine previous outputs from
>the state. Not from the entire state and not from any part
>of the state. I don't see any ambiguity in what I wrote. I
>even gave an example of a generator which fails this
>criteria, RC4, and one which satisfies it (barring unknown
>cryptanalytic results), from FIPS 186.
Interestingly enough, FIPS-186 allows the use of the ANSI X9.17 prng which does
not appear to have the property of forward-secrecy. They don't tell you how to
generate the date/time vector so I assume that this can be worked out if you
know (or guess) the date and time of generation. Therefore if the secret DEA
key was ever leaked, it would seem that you could work out previous and future
prng outputs.
The prng described in the FIPS-186 standard itself *does* have forward-secrecy
though, since it uses one-way functions.
>
>> If so, I don't see why this
>> requirement is a necessary one for a PRNG used for
>> key generation.
>
>Are you familiar with "ephemeral keys" or "forward secrecy"?
>
>> If you have the *entire* internal state you can predict
>> future output. This would be very bad. Attackers should
>> not be able to obtain the entire internal state of the
>> PRNG in the first place.
>
>Be carefull not to confuse "in the first place" with "ever".
>In a lecture, Whit Diffie noted a disadvantage of
>cryptographic protection, compared with other measures, is
>that compromised keys can reach backward through time.
>Cryptographers have learned to destroy secrets as soon as
>possible.
>
>Note also that the key generator from FIPS 186 allows an
>optional input that gets mixed into the state. It is not
>always forward-predictable.
But use of the optional input can be seen as re-seeding which is not what (I
think) Tim Tyler was meaning. If you know the entire state of a prng and the
next output is a function of the previous output, you can always
forward-predict.
Mark
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: FSE2000 Schedule
Date: Tue, 28 Mar 2000 15:48:19 GMT
Here's the FSE schedule. Information on the conference is at
http://www.counterpane.com/fse.html
==========================================================================
Sunday (9 April 2000)
Registration and Welcome Reception
Monday (10 April 2000)
9:00 Registration
9:30 Welcome
9:40 - 10:30 Session 1: Specific Stream-Cipher Cryptanalysis:
Real Time Cryptanalysis of A5/1 on a PC
Alex Biryukov, Adi Shamir, and David Wagner
Statistical Analysis of the Alleged RC4 Keystream Generator
Scott R. Fluhrer and David A. McGrew
10:30 - 11:10 Coffee Break
11:10 - 12:00 Session 2: New Ciphers
The Software-Oriented Stream Cipher SSC2
Muxiang Zhang, Christopher Carroll, Agnes H. Chan
Mercy: A Fast Large Block Cipher for Disk Sector Encryption
Paul Crowley
12:00 - 1:30 Lunch
1:30 - 2:45 Session 3: AES Cryptanalysis - 1
A Statistical Attack on RC6
Henri Gilbert, Helena Handschuh, Antoine Joux, and Serge Vaudenay
Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent
John Kelsey, Tadayoshi Kohno, and Bruce Schneier
Correlations in RC6 with a Reduced Number of Rounds
Lars R. Knudsen and Willi Meier
2:45 - 3:25 Coffee Break
3:25 - 4:15 Session 4: Block-Cipher Cryptanalysis - 1
On the Interpolation Attacks on Block Ciphers
A.M. Youssef and G. Gong
Stochastic Cryptanalysis of Crypton
Marine Minier, Henri Gilbert
Tuesday (11 April 2000)
9:15 - 10:05 Session 5: Power Analysis:
Bitslice Ciphers and Power Analysis Attacks
Joan Daemen, Michael Peeters, and Gilles Van Assche
Securing the AES Finalists Against Power Analysis Attacks
Thomas S. Messerges
10:05 - 10:45 Coffee Break
10:45 - 12:00 Session 6: General Stream-Cipher Cryptanaysis:
Ciphertext Only Reconstruction of Stream Ciphers based on Combination
Generators
Anne Canteaut and Eric Filiol
A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers
Volodja Chepyshov, Thomas Johansson, and Ben Smeets
A Low-Complexity and High-Performance Algorithm for the Fast
Correlation Attack
Miodrag J. Mihaljevic, Marc P.C. Fossorier, and Hideki Imai
12:00 - 1:30 Lunch
1:30 - 2:20 Session 7: AES Cryptanalysis - 2
Improved Cryptanalysis of Rijndael
Niels Ferguson, John Kelsey, Bruce Schneier, Mike Stay, David Wagner,
and Doug Whiting
On the Pseudorandomness of AES Finalists --- RC6 and Serpent
Tetsu Iwata and Kaoru Kurosawa
2:20 - 2:50 Coffee Break
2:50 - 5:00 Session 8: Rump Session
6:00 - 8:00 Conference Reception
Wednesday (12 April 2000)
9:15 - 10:05 Session 9: Block-Cipher Cryptanalysis - 2
Linear Cryptanalysis of Reduced-Round Versions of the SAFER Block
Cipher Family
Jorge Nakahara Jr., Bart Preneel, and Joos Vandewalle
A Chosen-Plaintext Linear Attack on DES
Lars R. Knudsen and John Erik Mathiassen
10:05 - 10:25 FSE Business Meeting
10:25 - 11:00 Coffee Break
11:00 - 12:15 Session 10: Theoretical Work:
Provable Security against Differential and Linear Cryptanalysis for
the SPN Structure
Seokhie Hong, Sangjin Lee, Jongin Lim, Jaechul Sung, and Donghyeon
Cheon
Unforgeable Encryption and Adaptively Secure Modes of Operation
Jonathan Katz and Moti Yung
Efficient Methods for Generating MARS-like S-boxes
L. Burnett, G. Carter, E. Dawson, and W. Millan
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Taneli Huuskonen)
Crossposted-To: talk.politics.crypto
Subject: Re: Download Random Number Generator from Ciphile Software
Date: 28 Mar 2000 18:40:54 +0300
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
In <[EMAIL PROTECTED]> Anthony Stephen Szopa
<[EMAIL PROTECTED]> writes:
[...]
>My position is that the theory upon which OAP-L3 is based is
>fundamentally simple. So simple that one versed in possible
>attacks should be able to reasonably suggest any if they seemed
>to have potential of success.
>I just haven't heard of one yet.
>I would like to hear of one if one should exist.
I told you about a weakness in your random number generator, but you
didn't understand my explanation and therefore concluded I was mistaken.
I then suggested an excercise for you, where a similar phenomenon occurs
in a much simpler setting. That's a very useful technique in learning
mathematics: if you can't solve a problem, try if you can solve a
related but easier problem. If you can, you may be able to apply
similar methods to solve the original problem. In the attack I'd hinted
at, you'd have to consider four different lines of a huge array of
permutations at a time. In my excercise, you started with three
arbitrary permutations and formed four more, two of which would've been
exactly the same. However, looks like my suggestion confused the hell
out of you. I guess I could've been clearer about what I was aiming at.
In my job, I make up little homework problems for students without a
second thought, and somehow I've grown to expect that just mentioning
the word "excercise" is enough.
At any rate, I'm not going to try to teach you math any more. I'm going
to issue a concrete challenge.
IF you agree to do the following:
1) Post the source code for the part of your PRNG that takes as input
three sets of 10! permutations of the numbers 0 through 9 each, and
outputs up to (10!)^2 random digits according to the description on
your Web page.
2) Make one hundred files of a thousand digits each available on your
Web site, with the n'th file containing digits (10!)n through
(10!)n+999 of the output stream of the PRNG. You may use any three sets
of 10! permutations as input to the PRNG, whether mixed with your
programme or not.
3) No later than four weeks after completing (2) above, you publish the
three sets of permutations that you used as input to produce the files
you published in step (2).
THEN I claim I can do the following:
I post at least a thousand output digits of the PRNG, with the
corresponding offsets, which aren't contained in the published output.
I complete this within two weeks of you completing (2).
If you agree and I fail, I agree to pay you USD 1000.00 (one thousand
United States dollars). I send the money no later than four weeks after
you complete step (3).
You may agree to pay me any non-negative sum of money you wish in case I
succeed. I consider the amount to be indicative of your trust in your
own programme. I will even send you beforehand half of that amount
or $200, whichever is less, so you don't need to decline because of your
lack of trust in my honesty.
In short, $1,000 say the attack I hinted at is real. I don't want to
speculate on whether it can be expanded to a full-blown attack to
break your code, but it's definitely a weakness.
Taneli Huuskonen
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBOODSX1+t0CYLfLaVEQJTQACg8J4K6qo111/57SeB4WEsGbAzJPUAniGy
yTz8+MP51aOFte7lelZSYvN1
=Zx+m
=====END PGP SIGNATURE=====
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Examining random() functions
Reply-To: [EMAIL PROTECTED]
Date: Tue, 28 Mar 2000 16:05:51 GMT
[edited]
On Mon, 27 Mar 2000 Johnny Bravo <[EMAIL PROTECTED]> wrote:
>On Mon, 27 Mar 2000, Andy wrote:
>
>> I've been playing around with random integer generators and
>>was wondering about different methods of examining the output.
>>
[snip]
>> So, can anyone recommend another way?
>
> See the tests in the DieHard test suite.
I recommend my C conversion of that suite, available at
ftp://helsbreth.org/pub/helsbret/random/
The documentation alone makes it worth the download.
The original Diehard source is available at
http://stat.fsu.edu/~geo/diehard.html
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
