Cryptography-Digest Digest #888, Volume #11 Mon, 29 May 00 18:13:00 EDT
Contents:
Re: encryption without zeros (real address at end of post)
Re: Another sci.crypt Cipher (tomstd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Peter G. Strangman)
Re: Anti-Evidence Eliminator messages, have they reached a burn-out po ("Klaus
Daehne")
Re: encryption without zeros (Tim Tyler)
Re: OAP-L3: Version 5.x Revealed (Alan Mackenzie)
Re: No-Key Encryption ("Trevor L. Jackson, III")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (George Edwards)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (George Edwards)
Re: Is OTP unbreakable?/Station-Station ("Trevor L. Jackson, III")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Andru Luvisi)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Andru Luvisi)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ([EMAIL PROTECTED])
Re: encryption without zeros (Bryan Olson)
Re: encryption without zeros (Bryan Olson)
Re: Math problem (P=NP) prize and breaking encryption ("Axel Lindholm")
----------------------------------------------------------------------------
From: Postmaster@[127.0.0.1] (real address at end of post)
Subject: Re: encryption without zeros
Date: 29 May 2000 19:02:49 GMT
According to zapzing <[EMAIL PROTECTED]>:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > zapzing <[EMAIL PROTECTED]> wrote:
> > : rick2 <[EMAIL PROTECTED]> wrote:
> > :> lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> > :> > block through the encryption function again, and repeat until you
> > :> > don't get any zeros.
> >
> > This proceedure may not always terminate :-(
>
> Ah, but it will :-)
But maybe not before the Universe dies. 8-(
Also, this method leaks timing info which can not be compensated because
of the non-determinism.
--
Don'[EMAIL PROTECTED]
------------------------------
Subject: Re: Another sci.crypt Cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 29 May 2000 12:23:07 -0700
In article <8gu8cu$k68$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <8gstfd$oud$[EMAIL PROTECTED]>, <matthew_fisher@my-
deja.com> wrote:
>> I have extended this attack via related keys. TC1 is
vulnerable to
>> differential related key cryptanalysis. For best results the
attack
>> requires chosen plain text.
>
>Oh, if related-key cryptanalysis is allowed, there are other
attacks, too.
>Use the fact that if subkey 0 = subkey 1, then encryption =
decryption.
>This condition happens with prob. 1/2^32, and can be tested
with just two
>encryptions (check if double-encryption gives back the original
plaintext).
>We try all 2^32 key-differences of the form (x,0,0,0). One of
them will
>be guaranteed to force subkey 0 to the same value as subkey 1,
and then this
>condition will be recognized by our double-encryption test.
This attack
>recovers 32 bits of key material with a total of 2^32
differential related-key
>queries and 2^33 chosen plaintexts. Then you can finish it off
with an
>exhaustive keysearch attack; by using the 32-bit
complementation property
>found by Mark Wooding, this stage will require only 2^64 trial
encryptions.
>
Ok any ideas on how to use a simple key schedule and avoid such
badly related keys?
I will think up something tonight, but you guys seem good at it
too.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Peter G. Strangman <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:22:43 +0100
Reply-To: [EMAIL PROTECTED]
On Mon, 29 May 2000 19:51:59 +0000, [EMAIL PROTECTED] (David
Boothroyd) wrote:
> Without this bill criminals will get away with it. With it they will
> not. It's a simple as that.
That load of bollocks has already been shown for what
it is.
--
Peter G. Strangman | Leser, wie gefall ich dir?
[EMAIL PROTECTED] | Leser, wie gefaellst du mir?
http://www.adelheid.demon.co.uk | (Friedrich von Logau)
XLIV-VII-DCCCII-CCXII-DCCCXXXI |
------------------------------
From: "Klaus Daehne" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server,alt.security.pgp
Subject: Re: Anti-Evidence Eliminator messages, have they reached a burn-out po
Date: Mon, 29 May 2000 12:29:19 -0700
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
James, K.,
your reply address is "[EMAIL PROTECTED]", I gave my full name and
real e-mail address.
And since this is a PGP ng, I also signed my message.
I gave a fair account of my personal experience with this product,
you resort to name calling and unfounded allegations.
How unfortunate.
Klaus
"James K" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> This is more bullshit SPAM, posted by the dickhead who is pushing
> that piece of crap EE.
Klaus wrote
>> Besides the fact that EE is crossposting and posting off topic, I
>> wound up downloading their product before this debate started, and
>> (so far) have nothing bad to say.
=====BEGIN PGP SIGNATURE=====
Version: PGP Personal Privacy 6.5.2
iQA/AwUBOTLE/vUjnALVMPh2EQI8PwCgv4LNVpEPAXigXo0J7x3cqCdUay0AoOUY
zD9mu/b3/qzXANboAvhuAEG2
=ZoRU
=====END PGP SIGNATURE=====
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Reply-To: [EMAIL PROTECTED]
Date: Mon, 29 May 2000 19:46:03 GMT
zapzing <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] wrote:
:> :> lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
:> :> > Rick - You could use a regular encryption function like triple
:> :> > DES but if you get an output block which has a zero byte in it,
:> :> > run that block through the encryption function again, and repeat
:> :> > until you don't get any zeros.
:>
:> This proceedure may not always terminate :-(
: Ah, but it will :-)
: There are only 256^8 possible 8 bit blocks.
: Imagine a directed graph of all possible blocks, in
: which block A is connected to block B iff block A
: encrypts into bock B. Mow this graph must consist
: of a finite number of loops. No dendrites allowed.
: A loop either contains a block without zeros or it
: doesn't. So you can see that any block without
: zeros will eventually lead to another block
: without zeros, through the process that
: "Mixmaster" described.
No. I don't see that at all. In fact, it's wrong ;-|
: A block encrypting into itself, and/or a block
: that takes more than about 10 steps to encrypt,
: is highly improbable.
I didn't say it was *likely* to fail to terminate. I said that it
"may not always terminate".
Blocks can encrypt to themselves, or to other blocks that
encrypt to the first block, and so on in cycles of 3, 4, 5, etc.
It's quite possible for this encryption system to go into an
infinite loop.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ I'm pink :. I'm spam
------------------------------
From: Alan Mackenzie<[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Version 5.x Revealed
Date: Mon, 29 May 2000 15:51:24 +0000
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote
on Sat, 27 May 2000 12:12:30 -0700:
> Alan Mackenzie wrote:
>> [Quite a few questions about AS's encryption program.]
> Hope you found the information at the web site of some interest.
I haven't actually looked, yet. Does the stuff there address the issues I
raised in my previous post?
By the way, could you possibly trim material you're quoting. You know,
saving bandwidth, Usenet etiquette, all that sort of stuff.
> AS
--
Alan Mackenzie (Munich, Germany)
Email: [EMAIL PROTECTED]; to decode, wherever there is a repeated letter
(like "aa"), remove one of them (leaving, say, "a").
------------------------------
Date: Mon, 29 May 2000 17:29:35 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Michael Pellaton wrote:
> It seems to me that I used the wrong name of a method of encryption.
> Maybe it's an error that occurred during translation from and to
> German (I have seen the word "no-key encryption" in at least two
> German books).
>
> I'd like to explain what I mean with "No-Key-Encryption" in a
> small example:
>
> Assume Alice wants to send a message to Bob.
>
> The message is M = 10101100
> Alice has a private key A = 11011001
> Bob has a private key B = 00010111
>
> Now, Alice encrypts her message with her private key
> M XOR A = Ma = 01110101
>
> and sends Ma to Bob. Bob can't decrypt the message, but he can
> encrypt it again using his key
> Ma XOR B = Mab = 01100010
>
> Now Bob sends Mab back to Alice. She decrypts it with her key A
> Mab XOR A = Mb = 10111011
>
> and again sends it to Bob who is now able to decrypt the Message
> with his key
> M = Mb XOR B = 10101100
>
> Maybe the methode should be called "no public key" or "no key
> exchange" encryption.
>
> It allows two people or systems to communicate safely without knowing
> anything about eachother except for the fact that it uses the
> same encryption system.
>
> I know that XOR is a very weak encryption methode and I just used it
> to show what I mean with "No-Key encryption" in an easy way.
The reason your system works is that the combining operation is associative,
which is also the reason it, and all system like it, are trivially useless.
Once an opponent has M+Ka and M+Kb recovering M is not hard. Given M
recovering the keys is not hard.
>
>
> Now, what's the proper English name for what I described above?
> Where is it used?
> Are there any well-known implementations?
>
> Thanks for your help
>
> Michael Pellaton
>
> Michael Pellaton wrote:
> >
> > In the literature about cryptography I often read about the three
> > different types of encryption - symmentric, asymmetric and Nop-Key
> > encryption. I found plenty implementations of the symmetric and the
> > asymmetric methode. Is there any implementation of no-key ecnryption
> > available?
------------------------------
From: George Edwards <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 21:58:07 +0100
In article <[EMAIL PROTECTED]>, Thomas M. Sommers
<[EMAIL PROTECTED]> writes
>in the US it's a crime for a criminal not to report his illegal
>earnings to the tax man. That's how they got Al Capone.
I think this is also the case in New Zealand. Surely we should be trying
to persuade "criminals" to enter the tax system? After all, locing them
up usually costs us more than they would yield in taxes?
--
George Edwards
------------------------------
From: George Edwards <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 22:05:44 +0100
In article <[EMAIL PROTECTED]>, David
Boothroyd <[EMAIL PROTECTED]> writes
> The Poll Tax was replaced because
>Conservative MPs realised it was too unpopular.
They had known this for ages. It was the actuality of direct action that
stopped it. The boomer generation will not be stopping using direct
action when they find their pensions are being devalued, or that the
NHS/ Benefits agency prefers to subsidise jails for criminals to paying
them a decent pension. Tony had better put on his helmet now!
--
George Edwards
------------------------------
Date: Mon, 29 May 2000 17:39:50 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Guy Macon wrote:
> In article <8gt18b$1a1$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> >
> >
> >In article <8gqoic$[EMAIL PROTECTED]> Guy Macon,
> >[EMAIL PROTECTED] writes:
> >>No. If I use any of the standard authentication protocols,
> >>someone who knows my plaintext but not my key and who can
> >>intercept my ciphertext and replace it with his own cannot
> >>send a message that looks like I sent it. In the case of
> >>checksum followed by OTP encryption, he can. This is the
> >>classic man-in-the middle attack combined with the classic
> >>known/chosen plaintext attack. Good security systems resist
> >>these attacks, singly or in combination. OTP doesn't.
> >>
> >Perhaps the arguments against your statements are springing from the fact
> >that you denigrate OTP using attack scenarios that are somewhat unusual.
> >The attack you described on OTP entails finding plaintext that matches a
> >particular ciphertext that you have managed to intercept and also prevent
> >from reaching the intended receiver. That's some set of circumstances.
> >If you want to posit such a string of events, then I will reply that no
> >authentication scheme works because I could simply beat the
> >authentication info out of you and use it in messages to your confreres.
> >Now let's talk about angels dancing on heads of pins.
>
> Rather than assuming that I denigrate OTP, why don't you ask me what
> my opinion of it is? (My opinion is that is wonderful. I don't
> have to worry about some crypto expert breaking the scheme through
> cryptanalysis. That's very valuable. My opinion is also that you
> shouldn't just run your plaintext through the OTP. You should
> compress it, encrypt it with a method that provides authentication,
> then encrypt it again with OTP.
This appoach only increases security if one assumes that an attacker can read a
PGP-enciphered message, but cannot forge a PGP-authenticated message. Is there a
basis for making such assumptions? It seems to me that this will appy in an
extremely narrow set of circumstances.
> PGP does the compression and the
> authentication in one step). I see little point in using OTP to
> raise your security level against cryptanalysis from really, really,
> really, good to perfect without also taking simple steps to raise
> your security level against man-in-the-middle and known plaintext
> attacks.
>
> As for likelihood, I am, among other things, a system administrator
> for a corporate LAN. If one of my users starts using OTP (say with
> a CD-ROM of random bits) I can probably fake incoming emails and do
> a bit of social engineering to achieve chosen plaintext, and I can
> certainly intercept and replace the users ciphertext with my own.
> One of my jobs as sysadmin is to provide my users with security
> that I cannot break. OTP alone doesn't provide that.
>
> Let's be realistic here. The chances of someone using cryptanalysis
> to read your PGP encrypted message is way out in the "angels dancing
> on heads of pins" area already. The odds of OTP's resistance to
> cryptanalysis increasing your security is much smaller than the
> chances that your sysadmin or ISP will social engineer you into
> encrypting known plaintext and then do a man-in-the-middle attack.
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: 29 May 2000 14:24:38 -0700
[EMAIL PROTECTED] (David Boothroyd) writes:
[snip]
> "They" in that paragraph begins to sound paranoid. There are inevitably
> cases in which the police have gone too far. That does not amount to any
> sort of argument against police powers in general.
[snip]
Excuse me? Since when is abusing a power not grounds for losing it?
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: 29 May 2000 14:27:13 -0700
[EMAIL PROTECTED] (David Boothroyd) writes:
[snip]
> It is not a human rights violation. The s.19 certificate states that the
> Bill complies with all the UK's human rights obligations.
[snip]
This is not a usenet post. This is a binding contract which you have
already signed, stating that you must pay me US$1,000,000 on or before
July 1st 2000.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 22:40:01 +0100
On Mon, 29 May 2000 19:51:59 +0000, [EMAIL PROTECTED] (David
Boothroyd) wrote:
>In article <[EMAIL PROTECTED]>, Adrian Kennard
><[EMAIL PROTECTED]> wrote:
>> David Boothroyd wrote:
>> >...
>> > I thought you said you were too young. The Poll Tax was replaced because
>> > Conservative MPs realised it was too unpopular. The idea that the police
>> > being able to demand that encrypted data (about which they have a reasonable
>> > suspicion) be decrypted is in some way unreasonable is absurd.
>>
>> The idea that the police may have unfounded suspicion.
>
>Then they will find the decrypted document does not contain anything
>wrong, and no further action will be taken.
>
>> The idea that the individual may not wish to disclose a key
>> which can then be used to decode everything they have ever
>> recevied regardless of relevance, and sign things with their name, etc.
>
>I'm sure many people interviewed by the police do not wish to disclose
>things. This does not cause particular problems now.
>
>> The idea that the data may not be encrypted, or the suspect
>> may not have the key and cannot prove this. After all, if plod
>> knew what it was then they would not need the key - they must have
>> only suspicions.
>
>People cannot be put in jail because they have lost their keys, as
>Ministers have made clear during debate on the bill.
>
>Without this bill criminals will get away with it. With it they will
>not. It's a simple as that.
Your real name is Jack Straw and I claim my free copy of the R.I.P.
Bill
Best regards,
Dave
Remove "the" to e-mail.
*****************************************************************************************
If the only freedoms you have are what
the government allows, then you are
truly a slave
*****************************************************************************************
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Date: Mon, 29 May 2000 21:37:12 GMT
Tim Tyler wrote:
> zapzing <[EMAIL PROTECTED]> wrote:
> : There are only 256^8 possible 8 bit blocks.
> : Imagine a directed graph of all possible blocks, in
> : which block A is connected to block B iff block A
> : encrypts into bock B. Mow this graph must consist
> : of a finite number of loops. No dendrites allowed.
> : A loop either contains a block without zeros or it
> : doesn't. So you can see that any block without
> : zeros will eventually lead to another block
> : without zeros, through the process that
> : "Mixmaster" described.
>
> No. I don't see that at all. In fact, it's wrong ;-|
>
> : A block encrypting into itself, and/or a block
> : that takes more than about 10 steps to encrypt,
> : is highly improbable.
>
> I didn't say it was *likely* to fail to terminate. I said that it
> "may not always terminate".
>
> Blocks can encrypt to themselves, or to other blocks that
> encrypt to the first block, and so on in cycles of 3, 4, 5, etc.
>
> It's quite possible for this encryption system to go into an
> infinite loop.
No. Remember that we know the original plaintext has
no zeros, and the block encryption function is a
permutation. There is at least one zero-free block on
the cycle - the original plaintext.
The first time I heard of this scheme was at the first
AES conference. Schroppel described it to define how
his "Hasty Pudding" cipher encrypts blocks of any size,
including fractional bits.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Date: Mon, 29 May 2000 21:54:31 GMT
zapzing <[EMAIL PROTECTED]> wrote:
> In the plantest, let us say there is a
> string of n zeros in the unprocessed
> ciphertext. Then this is changed to
> a strin of 2n zeros. A string of an
> od number of zeros, 2n+1 zero to be precise,
> would indicate that the unprocessed ciphertext
> has a stiring of n zeros followed by
> the end of the block. Thus every escape
> character tat is actually supposed to get
> through is reescaped with itself.
That fails the requirement - no zeros in the ciphertext.
You seem to be showing how zero can be used both as an
end marker and the encoding of the zero byte. That does
not solve the problem.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Axel Lindholm" <[EMAIL PROTECTED]>
Subject: Re: Math problem (P=NP) prize and breaking encryption
Date: Tue, 30 May 2000 00:09:13 +0200
"David A Molnar" <[EMAIL PROTECTED]> wrote in message
news:8gtkvi$ggr$[EMAIL PROTECTED]...
> Axel Lindholm <[EMAIL PROTECTED]> wrote:
> > There are, today, 2 categorys of problems. P and NP. To understand why
RSA
> > gets useless we look into what category the RSA problem belongs to. It
is
> > believed that factoring huge numbers into huge primeparts is NPC (NP
> > complete).
>
> Actually, it is not known that factoring is NP-complete.
> It is known that factoring is in NP and in coNP, which leads some people
> to conjecture that factoring is *not* NP-complete, but instead somehow
> easier. Although no one knows how easy, of course.
>
> > What is NPC then?
> > These are the problems that we don't know how to solve quick, the only
> > algorithms we know to solve these type of problems have so called
> > exponential worst-case complexity.
>
> The best known algorithm for factoring is subexponential.
>
> Thanks,
> -David
Thank you for enlightening me! I searched for the best factorisation alg but
without very good results, if you had a reference to a page that had some
information on that algorithm I'd love it!
Ah, while I'm still typing I might as well ask if someone ever tried dealing
with SAT and came up with some results or perhaps know a good webpage
dealing with SAT? My numbertheory mentor gave me a small compendium about it
once but, sadly enough, I seem to have lost it.
Thanks!
// Axel Lindholm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
