Cryptography-Digest Digest #843, Volume #11 Tue, 23 May 00 12:13:00 EDT
Contents:
Re: Initialization Vector / Message Key with Stream Cipher? ("Elros")
BeeCrypt 0.9.5 released (Bob Deblier)
Re: Asynchronous and simple algorithm (Runu Knips)
Encryption within newsgroup postings ("Dave Jones")
MARS S Box ([EMAIL PROTECTED])
Re: Yet another block cipher: Storin ([EMAIL PROTECTED])
Re: Yet another block cipher: Storin (Mok-Kong Shen)
Re: Encryption within newsgroup postings (Volker Hetzer)
Re: MARS S Box (Mark Wooding)
Re: Introduction to zero knowledge proofs? (Anton Stiglic)
Re: Crypto patentability (Mok-Kong Shen)
Graphic Encryption (John Bailey)
Re: Crypto patentability (John)
Re: Crypto patentability (Mok-Kong Shen)
Re: how do you know your decyption worked? (wtshaw)
Re: OT: Long sentences (wtshaw)
RE: Yet another block cipher: Storin ("Manuel Pancorbo")
----------------------------------------------------------------------------
From: "Elros" <[EMAIL PROTECTED]>
Subject: Re: Initialization Vector / Message Key with Stream Cipher?
Date: Tue, 23 May 2000 08:35:45 -0500
+ means concatenation in all cases.
John Savard <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Tue, 23 May 2000 00:48:07 GMT, "Elros" <[EMAIL PROTECTED]> wrote,
> in part:
>
> >Let's say that U is a key supplied by the user, that R is a string of
> >"random" characters (different for each encryption), and that M is a
message
> >to be encrypted. With a stream cipher, is it better to:
>
> >1. Encrypt M with a key of R (giving Me). Encrypt R with a key of U
(giving
> >Re). Store the ciphertext as Re+Me.
>
> >OR
>
> >2. Encrypt M with a key of U+R (giving Me). Store the ciphertext as R+Me
> >(i.e. R is not encrypted in the ciphertext).
>
> In 1), it was obvious that + meant concatenation; and that is
> certainly a valid scheme of storing M, encrypted, so that if you know
> U you can find M, and R supplies variation.
>
> In 2), I thought that + meant something like XOR. If that's what it
> means the first time, while it is concatenation the second time, this
> would be valid as well, although I'd feel safer with (1); if + is
> concatenation the first time, part of the key is in the clear, so that
> is not very good, even if U is "long enough".
>
> John Savard (teneerf <-)
> http://www.ecn.ab.ca/~jsavard/
------------------------------
From: Bob Deblier <[EMAIL PROTECTED]>
Subject: BeeCrypt 0.9.5 released
Date: Tue, 23 May 2000 15:46:19 +0200
Hi all,
I've just posted an update to BeeCrypt on our website at
http://beecrypt.virtualunlimited.com/
Changes in this release:
0.9.5:
- Added PowerPC assembler optimization for multiprecision integers,
80% faster on our PowerMac 7200/90
- Fixed /dev/random entropy provider
- Changed name SHA1 to SHA-1 in fips180 for consistency
If there's a currently unsupported platform you would like to see added,
just drop me a line at [EMAIL PROTECTED]
Sincerely
Bob Deblier
Virtual Unlimited
------------------------------
Date: Tue, 23 May 2000 15:51:53 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Asynchronous and simple algorithm
Martin Winter wrote:
> I have to implement some security into an online game that has to store the
> score, e-mail address... of the user to a webserver. Since the language I
> have to program in is very limited (Lingo in Macromedia Director/Shockwave),
> I am desperately looking for a more or less simple asynchronous encryption
> algorithm because the prices for the best players are quite nice (cellular
> phones, computers etc.)
Please be more specific. What features does your language actually HAVE
???
Select from the list:
[ ] Shift + Rotate
[ ] Multiplication
[ ] Unsigned arithmetics
[ ] Bitwise operations (especially XOR and AND)
[ ] Arrays
[ ] Multi-Dimensional arrays
[ ] Arithmetics without overflow exceptions
A language without any of these might still allow some kinds of
encryption, but it will become really tricky
------------------------------
Reply-To: "Dave Jones" <[EMAIL PROTECTED]>
From: "Dave Jones" <[EMAIL PROTECTED]>
Subject: Encryption within newsgroup postings
Date: Tue, 23 May 2000 14:58:43 -0000
Dear All,
I have found a variety of newsgroup postings which have part of the text
encrypted. There are no numbers or special characters used, it looks
something like the following:
yytjk y pltra........etc
Has anyone come across this, and if so, can you please explain the
encryption/decryption process used.
Thank you
Dave
------------------------------
From: [EMAIL PROTECTED]
Subject: MARS S Box
Date: Tue, 23 May 2000 14:17:50 GMT
How is the Mars S Box designed...is it a Large Table lookup like DES or
derived algebraically..
The MARS document just says that they generate the S Box was generated
in a "Pseudorandom fashion" and tested for Linear and Differential
Cryptoanalysis...That is not much detail and a bit vague...
If you compare this withe the other candidates...e.g. Twofish where they
clearly state out their design goals for the S box using tabular and
Algebraic techniques...the F and the g functions are well described in
their document..
I find the MARS description very lacking....Does that mean MARS will be
the finalist ? :-)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Yet another block cipher: Storin
Date: Tue, 23 May 2000 15:10:26 GMT
In article <[EMAIL PROTECTED]>,
Runu Knips <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > A quick look brought a question to mind. It appears that it is
> > possible to get two plaintext to encrypt to one cipher text. It is
> > possible that the 4X4 matrix can give two multiplies that both give
a
> > zero vector as a result?
>
> But the paper states the matrices have to be invertible ? If there
> is an inverse matrix, then the whole thing is bijective, isn't it ?
>
In general linear algebra this is true, but I think modulo addition and
mult screws it up. The matrix in my example is invertible because the
determinant is non-zero. At the same time, I showed -two- vectors that
produce the zero vector, a contradiction with respect to being
bijective. The linear algebra rules appear to be different when using
modulo math.
I am not saying the cipher is broke because I haven't found a case with
the actual matrix. The general principle would seem to hold however.
--Matthew
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Yet another block cipher: Storin
Date: Tue, 23 May 2000 17:31:00 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > You are using Hill's method. Am I right?
>
> No, not really. The matrix is fixed, not key-dependent. The structure
> is that of a standard iterated SP-network.
Do you use the term matrix in the sense of mathematics? If yes, please
show in which respect you method differentiate from that of Hill.
M. K. Shen
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Encryption within newsgroup postings
Date: Tue, 23 May 2000 15:25:05 +0000
Dave Jones wrote:
>
> Dear All,
>
> I have found a variety of newsgroup postings which have part of the text
> encrypted. There are no numbers or special characters used, it looks
> something like the following:
>
> yytjk y pltra........etc
It's probably ROT13. That means that to every character the number 13
is added (modulo 26) so that an "a" becomes an "n", a "b" an "o" and
so on.
The point is usually to prevent people from accidentally reading
something they might find offensive (after warning them).
The idea is that you have to act to make it readable and can't come
across it accidentally.
Greetings!
Volker
--
I believe that children are our future --- nasty, brutish, and short.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: MARS S Box
Date: 23 May 2000 15:30:30 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> How is the Mars S Box designed...is it a Large Table lookup like DES or
> derived algebraically..
It's a large (512-entry) lookup table. Recap:
* Twofish: two 8x8 S-boxes, derived from 8 4x4 S-boxes and some simple
functions. The little boxes were generated by something the
designers didn't tell us about.
* MARS: one big 9x32 S-box, generated using SHA-1 from a published
seed.
* Serpent: eight 4x4 S-boxes, generated using the DES S-boxes and a
deterministic RC4-ish algorithm which mangled the tables until they
met certain criteria. The algorithm and criteria are published.
* RC6: no S-boxes. Just the rotations, addition, XOR and the magic x
-> 2x(x + 1) function.
* Rijndael: a single 8x8 S-box, made from a multiplicative inversion
in GF(2^8) and an affine transformation over GF(2). The designers
describe how the quality of the S-box is comparatively unimportant,
given the good diffusion of the rest of the structure.
> The MARS document just says that they generate the S Box was generated
> in a "Pseudorandom fashion" and tested for Linear and Differential
> Cryptoanalysis...That is not much detail and a bit vague...
I thought the document was rather specific. The function they used was
based on SHA-1. You put a seed in and it gives you an S-box. Sometimes
the S-box has the appropriate properties; mostly it doesn't, so you try
a different seed. They publish the seed they finally used, so you can
check that they haven't cheated.
The point of using SHA-1 here is to show that the MARS designers had
very little control over the S-box generated, except that it was fairly
random and had the properties they listed. Of course, this doesn't
*guarantee* that they didn't also search for some other properties
they're not telling us about, but it is at least an effort to convince
us sceptics that they've not hidden a trap-door in there. I'm more
convinced by the difficulty of getting any trap door in the S-box
through the mess that is the MARS cipher, to be honest. ;-)
Note that the program they used had a bug, and the S-box doesn't
actually have one of the properties they wanted. This doesn't seem to
be a particular disaster.
-- [mdw]
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Introduction to zero knowledge proofs?
Date: Tue, 23 May 2000 11:35:15 -0400
There are some notes from a cours given by Claude Crepeau,
not much dough, but better than nothing... :)
http://crypto.CS.McGill.CA/~crepeau/CS647/
look at Lecture notes 1-6.
Also, Oded Goldreich has fragments of his book on-line:
http://theory.lcs.mit.edu/~oded/
and some zero-Knowledge stuff.
Goldreich is *very* technical dough. If you don't have
some background in theory of computation you might found
his stuff very hard to read...
Also, Stinson's book (Cryptography, theory and practice)
has some examples of Zero-Knowledge proofs...
Cheers!
Anton
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Tue, 23 May 2000 17:50:28 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > I suppose that our group, as the largest (as far as I am aware)
> public
> > crypto community, should form certain unified standpoint as to what
> is
> > and what is not patentable in crypto in our conviction,
>
> That's not likely while Terry Ritter and myself are in the same
> newsgroup. Much as I respect Terry's contributions, both to sci.crypt
>
> in particular and to cryptography in general, I cannot agree with him
> over patent issues. I'm a strong believer that the patent system,
> both
> in the US and elsewhere, needs to be either massively overhauled or
> scrapped entirely.
>
> Further discussion on this subject is inappropriate for sci.crypt.
> People who have an interest in the issue may find discussions ongoing
> in
> gnu.misc.discuss and misc.int-property.
If you don't agree with someone on a topic, then you can discuss
with him, can't you? It's o.k. if you prefer not to say anything.
We are in a 'discussion' group, aren't we? If you have your
worthy opinions on patents, then let us know and let these be
discussed such that (hopefully) ''the patent system, both in the
US and elsewhere,'' would be ''either massively overhauled or
scrapped entirely''.
Why is a discussion on crypto patents inappropriate in this
group? Note that there is a chapter on crypto patents in HAC.
If you think that the discussion is inappropriate, then please
give your detailed reasons and let these be discussed. The
Hitachi claims are menacing AES. Anyone designing encryption
algorithms is potentially facing the same risk. So the present
situation of patents need be clarified and understood and we
should attempt, if possible, to get the patent system reformed
for our interest (which you apparently also want according to
what you said). Why is crypto patentability instead appropriate
for discussion in a gnu group??
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Graphic Encryption
Date: Tue, 23 May 2000 15:41:55 GMT
quoting http://www.cl.cam.ac.uk/~fms27/vck/
Visual Cryptography Kit
Visual cryptography (invented by Naor & Shamir in 1994; read their
seminal paper (http://www.wisdom.weizmann.ac.il/~naor/PAPERS/vis.ps)
or a locally cached copy) is a method for securely encrypting messages
in such a way that the recipient won't need a computer to decrypt
them. The underlying cipher is essentially the one time pad; so the
system is unbreakable in the information theoretical sense
(end quote)
The system described is a way of XORing graphics with only an OR
function, which can be done by overlaying transparencies of seemingly
random graphic mottle, or with graphic editors such as LView Pro.
The Visual Cryptography web page provides links for downloading
software to generate additional graphic encryption examples, however
the software is written in Python, a language I was disinclined to add
to my repertoire. It took some expermentation, but I found I could
produce examples by using one of the random background fields from the
Visual Cryptography web page and a black and white graphic of my own,
processing these through manipulations using LView Pro (a common
graphics editor) and its Operate Images feature. Using only summing
and inversion, an graphic graphic can be produced for which a graphic
from the Visual Cryptography Kit page is a key.
My encrypted graphic is at:
http://www.frontiernet.net/~jmb184/cifrgrfx.gif
The key is at:
http://www.cl.cam.ac.uk/~fms27/vck/share1.gif
Decryption with transparency overlay is possible but tedious. I
recommend using a graphics editor to overlay them OR printing the
images with double sized pixels..
John
------------------------------
Subject: Re: Crypto patentability
From: John <[EMAIL PROTECTED]>
Date: Tue, 23 May 2000 08:42:44 -0700
There is a legal question as to if patenting a computer program
is even valid! Some argue that copyright is sufficient. With
an NDA, it seems rights can be protected. There is other
argumentation for having a "soft patent." A special class of
certificate for computer programs. I don't think the courts
will uphold patenting computer programs. I don't think we need
soft-patents.
http://www.aasp.net/~speechfb
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Tue, 23 May 2000 17:59:12 +0200
Runu Knips wrote:
> Fully agreed.
>
> But first, I would simply stop the practice of paying
> those people at the patent office for the number of
> patents which they accept. Thats like paying a
> programmer for the number of lines of code !
Those who are examining patents at the patent offices are
just like ones working in any other government institutions.
We shouldn't and we don't have a way to do them any
harm. What is needed is a reform of the patent policy
(the principles) and hence the practice. Note that I am
not aiming at a reform of patents in general. That would
be nice, but probably be too big a task to have chance of
realization in the near future. I am aiming at a reform in
the field of crypto patents which directly concern us.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: how do you know your decyption worked?
Date: Tue, 23 May 2000 08:57:56 -0600
In article <[EMAIL PROTECTED]>, Carb Unit <[EMAIL PROTECTED]> wrote:
> What few FAQs I could find on encryption were way over
> my head. Just explain to me, as if you were talking to
> your mom: How can you decrypt anything if you don't
> know what you're looking for?
>
> I mean, given that most computer files already have one
> level of "encryption" --their respective software's proprietary
> data format, and that there are thousands of such formats
> in the world today, what do you do after you run your decryption
> algorithm? Test if it's a GIF?, no?, a ZIP?, no?, a WAV?, etc?
>
> Or is the assumption always that the material is plain text?
>
> An extremely green question, I'm sure. I'd just like to know.
>
> --tom
You singing an important song at one point, that coding is one form of
encryption. otherwise, we sould see only universal computers that ran all
programs the same. Some dream this to be so, but want an inferior
standard to twart those that do things in another, obviously better, way.
There are those that dream that they can create a hard list of all
codings, even some that dream this about all more complicated forms of
encryption. They dream so hard that they adopt standards that they
choose, and want what they determine others can have to be the full list.
They tend to shun all other psssibilities as inferior, since they did not
make the list, and must be bad by design, or evil by parentage.
Imagine not knowing everything, which should not really be a problem since
it is best to know that you cannot know everything. The censorial point
of view is to be allowed to know what others cannot so that you can see if
they have anything not on the list of approved ideas, especialy including
forbidden formats, forbidden means of encryption, and forbidden data.
Well, the reality is that there are countless ways of being more
knowledgeable about particulars that anyone who would like to control
things. Out classic attacker would like to have the golden means of
breaking all coding and encryption.
Knowing that an inferior player represented the majority of computing, one
that was corrupt, corruptable, and produced stupid things by design and/or
ignorance, it was in their interests to let things go along.
Meanwhile, sanity has had a part, the realization that inferior products,
bastardly conduct, and propriatory desires are not necessarily consistent
with the great good, that users and employees desire to be treated
better. The current run of commercials featuring the water wizard as a
means of fun for the controller was without hidden significance is
symbolic of a depraved attitude that we are fighting.
All of this has major implications for security and encryption, since
mistakes in appropriate design can render extreme efforts in any level
worthless by itself. It should be a constant that anything regarding
computers place the interests of the consumer first, including something
as simple as not making inferior format choices in encryption.
To your question, don't assume any form of content, but look for weak
candidates first. With better algorithms it should not matter. Trying to
break an algorithm with ciphertext based on a predictable poor content,
like ascii, might let one see worst case deficiencies of the algorithm.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: OT: Long sentences
Date: Tue, 23 May 2000 09:10:44 -0600
In article <[EMAIL PROTECTED]>, Runu Knips
<[EMAIL PROTECTED]> wrote:
>
> When I was in school, we analysed different books and, beside of other
> values, we computed the average word count per sentence.
>
> The better books had in general the higher values.
>
Several considerations are involved which consider content and reader. A
book which is highly readable by one person, may be considered as a
extreme and trivial, not worth the effort, or too sophistocated, not worth
the effort, by another.
One should remember that sentence length may not track with concentration
of content. Generally, the more educated a person is, the better able to
construct long sentences. This does not correlate with having something
important to say, but many are impressed by things they cannot easily
grasp in what others write. Those that are not interested in being awed
are probably more interested in content, short sentences or long.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: "Manuel Pancorbo" <[EMAIL PROTECTED]>
Subject: RE: Yet another block cipher: Storin
Date: Tue, 23 May 2000 17:01:02 +0200
Mark Wooding <[EMAIL PROTECTED]> escribió en el mensaje de noticias
[EMAIL PROTECTED]
> Manuel Pancorbo <[EMAIL PROTECTED]> wrote:
> >
> > Mark Wooding <[EMAIL PROTECTED]> escribió en el mensaje de noticias
>
> > I'm designing an algorithm based on matrix multiplication and from my
> > experience the higher the field is, the worse the diffusion is, mainly
in
> > the higher bits of the plaintext. As I see you use GF(2^24) which is
very
> > high. So, the effort on diffusion must be made by other part of your
> > algorithm.
>
> No, I don't use GF(2^{24}): I use Z_{2^{24}}, which isn't a field but
> contains lots of invertible elements. This is a good thing: a matrix
> multiplication over GF(2^n) would be linear with XOR! As the MARS paper
> comments, integer multiplication provides excellent nonlinearity in the
> high-order bits.
Opss! Well, I wanted to say the same thing, in a wrong way: we are talking
of algebra modulo 2^24, aren't we?
In this case I provide the following example. Let's take any invertible 2x2
16-bit matrix M, for example:
|0x04 0x09 |
|0x0f 0x0c |
Let's check the influence of a single bit change. Consider firstly the
trivial result M {0x00, 0x00} = {0x00, 0x00} ; now we test how the change in
the input lower bits affects the output bits. Consider the vectors
u1 = {0x01, 0x00} and u2 = {0x00, 0x01}; they yield
M u1 = {0x04, 0x0f}; M u2 = {0x09, 0x0c}; So, 5 and 4 bits (out of 8)
change.
Now we test the higher bits;
v1 = {0x08, 0x00} and v2 = {0x00, 0x08}; then:
M v1 = {0x00, 0x08} and M v2 = {0x08, 0x00}; In both cases the change in the
output bits is only 1 bit.
Do you understand what I mean? Perhaps this is not a serious weakness
because you make several rounds with the >>12 trick. But take it into
account anyway.
By the way, why don't you make the matrix key dependent? is it really a
problem on the target machine? In my own algorithm I use some interesting
recipes to make key-dependent invertible matrices.
--
____________________________________________________________________
Manuel Pancorbo
[EMAIL PROTECTED]
"...
Más vale aprender una sola línea de Ciencia
que postrarse cien veces en oración. (Corán)
Pli valoras lerni ech nur unu linion de Scienco
ol preghe genui cent fojojn. (Korano)
..."
____________________________________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
