Cryptography-Digest Digest #5, Volume #12 Sun, 11 Jun 00 14:13:00 EDT
Contents:
Onefish (Twofishes sibbling) (tomstd)
Re: Logical attack on RSA (wtshaw)
Re: Large S-Boxes (SCOTT19U.ZIP_GUY)
Re: matrix question ("Tor Rustad")
Re: Large S-Boxes (tomstd)
Re: Call for evaluating and testing a stream cipher program
([EMAIL PROTECTED])
Re: Call for evaluating and testing a stream cipher program
([EMAIL PROTECTED])
Re: Call for evaluating and testing a stream cipher program (tomstd)
Re: Improving DES based MAC ("Scott Fluhrer")
Re: Question about recommended keysizes (768 bit RSA) (Jerry Coffin)
Re: CAST sboxes --- scarry (Jerry Coffin)
Re: CAST sboxes --- scarry (tomstd)
Re: CAST sboxes --- scarry (Jerry Coffin)
Re: matrix question ("Dark Nebular")
----------------------------------------------------------------------------
Subject: Onefish (Twofishes sibbling)
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 09:13:00 -0700
Just for fun I designed Onefish, it's a 64-bit block cipher
using some design components from RC5 and Twofish. it's
essentially Twofishes little kid brother hehehe...
The source is at:
http://tomstdenis.com/tc4.c
Have a peek, it's rather neat. I doubt it's secure so I
wouldn't bother analyzing it (I just made it in 30 mins).
Enjoy,
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Logical attack on RSA
Date: Sun, 11 Jun 2000 09:30:12 -0600
In article <01bfd390$f32c6eb0$0100a8c0@downstairs>, "Michael Brown"
<[EMAIL PROTECTED]> wrote:
> Hi there,
>
> I had some spare time recently, and I decided to play around with RSA a
> bit, with regard to implementing it in hardware. What I found is that you
> can apparantly ram the public key backwards through a multiplier and out
> pops the two primes used to generate it...
Then, that would make RSA symmetrical mathematically, encryption being
swapable with decryption defining such symmetry, considering the public
key as a form of ciphertext. (Given structural tranparency where an
algorithm is symmetrical, this means that you can encrypt by decrypting,
then decrypt by encrypting.) A superficial format limitation to prevent
this does not count as an effective reason to say that symmetry cannot
exist in the base algorithm.
Please up the ante with bigger values, to confirm a persistent hunch many
have that RSA has a soft underbelly.
If you are in error, we need to see more than emotional retorts to counter
your claim.
--
Hippocracy is claiming that since you are MS Certified you can
speak about good security.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Large S-Boxes
Date: 11 Jun 2000 16:34:52 GMT
[EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
>zapzing <[EMAIL PROTECTED]> wrote:
>
>: I agree that 8X8 sboxes ared too small to design
>: randomly. One should never use any sboxes smaller
>: than 16X16 if they are designed randomly. I await
>: your tests with 16X16 random sboxes.
>
>16x16 s-boxes??
>
>Goodness - let's hope you don't need more than one of them.
I hope you test random 16x16 s-boxes that are constraned to
be of the single cycle type. Like that used in scott16u.zip
and if your get a chance try 19X19 single cycle randon sboxes
like those in scott19u,zip
http://members.xoom.com/ecil/index.htm
------------------------------
From: "Tor Rustad" <[EMAIL PROTECTED]>
Subject: Re: matrix question
Date: Sun, 11 Jun 2000 18:33:17 +0200
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
> I'm trying to test some matrix math things I've written, and I'm
> getting results I don't expect... I don't know if it's my code that's
> wrong, or what I'm expecting that's wrong.
>
> If I have 4 matrices A, B, C, Ma, Mb, each of which is 4x4, and
> Ma is the inverse of Mb, then when I do B = A * Ma, C = B * Mb,
> I find C == A, which is what I expect to get.
>
> However, if A, B, C are 1x4 matrices (Ma and Mb the same 4x4 matrices as
> before), and I do B = A * Ma, C = B * Mb, I find that C does not equal
> A. This seems Wrong. Are my expectations (that A should equal C even
> for non-square A,B,C) wrong, or is my code wrong?
You have Ma[i,j] * Mb[j,k] = I[i,k], where I[i,k] = 1 when i=k and otherwise
0.
If we start with
b[j] = a[i] Ma[i,,j]
Then multiply with Mb on both sides gives
b[j] Mb[j,k] = a[i] Ma[i,,j] Mb[j,k]
which is the same as
b[j] Mb[j,k] = a[k]
Now, if
c[k] = b[j] Mb[j,k]
I think you must agree that
c[k] = a[k]
I guess you made an program error with your index..
--
Tor
------------------------------
Subject: Re: Large S-Boxes
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 09:39:50 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>[EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
>
>>zapzing <[EMAIL PROTECTED]> wrote:
>>
>>: I agree that 8X8 sboxes ared too small to design
>>: randomly. One should never use any sboxes smaller
>>: than 16X16 if they are designed randomly. I await
>>: your tests with 16X16 random sboxes.
>>
>>16x16 s-boxes??
>>
>>Goodness - let's hope you don't need more than one of them.
>
> I hope you test random 16x16 s-boxes that are constraned to
>be of the single cycle type. Like that used in scott16u.zip
>and if your get a chance try 19X19 single cycle randon sboxes
>like those in scott19u,zip
Single cycle sboxes are not always optimal in terms of DP and LP
max, SAC or BIC.
Also if you have been actually following this thread you will
note that random sboxes are hardly optimal.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Call for evaluating and testing a stream cipher program
Date: Sun, 11 Jun 2000 09:52:16 -0700
I can see now where the confusion arises. I have never said that the security of
this generator is equivalent of that of the BBS. BBS is only one part of the
scheme. It supplies secure random numbers slowly. That is all.
The cipher is very fast. The scheme has been implemented in C. Its execution
time is about 1.5 times that of a standalone LFG. On 300 MHz Celeron processor
it can encrypt 266 Mbits/s of data (excluding disk access). On a 64-bit machine
it will run twice as fast as on 32-bit machine. I encourage you to download the
executable or the source code and experiment with it.
http:[EMAIL PROTECTED]
"All in all I don't think it's a secure system"
You are probably right here. That is the reason I posted it on the Internet. I
would like to find out how to break it. If you know how to do it please let me
know.
Cascade Research
tomstd wrote:
> After actually reading your paper, I still agree you are doing
> something very wrong. You use the output of the BBS for a key
> that performs some operation "F3()" on 64 outputs from LFG C,
> which in turn is used as the key for F2 and so on.
>
> The whole security of the system lies in F1/F2/F3 not the BBS
> generator. I also don't see the need to make 4096/262144
> outputs from LFGB and LFGA.
>
> All in all I don't think it's a secure system or even fast.
>
> What is the rated speed anyways?
>
> Tom
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Re: Call for evaluating and testing a stream cipher program
Date: Sun, 11 Jun 2000 09:54:13 -0700
Paul Rubin wrote:
> In article <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]> wrote:
> >I did not realize that your absurd and hostile comments were "specific
> >questions." If you had read my description they would not even occur to you. But
> >here are the answers:
> >
> >1) I was not joking
> >2) I do know what BBS is.
> >3) I do not "post-process" it. There are several PRNGs running in parallel at
> >different speeds. The BBS generates one random number for each 262144 random
> >numbers generated by the fastest running LFG.
> >4) That is how I can mention "fast" and "BBS" in the same context.
> >
> >I hope this answers your questions.
>
> Here's a couple further specific questions for you to answer:
>
> 1) Ok, how fast is your cipher then really, in bytes/sec on a typical PC?
> Whatever hardware you've timed it on is fine, just specify what it is.
>
The scheme has been implemented in C. Its execution time is about 1.5 times that of a
standalone LFG. On 300 MHz Celeron processor it can encrypt 266 Mbits/s of data
(excluding disk access). On a 64-bit machine it will run twice as fast as on 32-bit
machine. I encourage you to download the executable or the source code and experiment
with it.http:[EMAIL PROTECTED]
> 2) Have you applied or do you intend to apply for any patents regarding
> the cipher?
I have not decided if this is worth patenting.
------------------------------
Subject: Re: Call for evaluating and testing a stream cipher program
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 09:45:48 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>I can see now where the confusion arises. I have never said
that the security of
>this generator is equivalent of that of the BBS. BBS is only
one part of the
>scheme. It supplies secure random numbers slowly. That is all.
Why use it at all then? You don't discuss making the BBS
composite or seeding it. Your documents are very incomplete in
fact.
>The cipher is very fast. The scheme has been implemented in C.
Its execution
>time is about 1.5 times that of a standalone LFG. On 300 MHz
Celeron processor
>it can encrypt 266 Mbits/s of data (excluding disk access). On
a 64-bit machine
>it will run twice as fast as on 32-bit machine. I encourage you
to download the
>executable or the source code and experiment with it.
Yadada... How in the world can you clain you can clock a LFG
based system at 266mbit/sec. That's very hard to believe.
Clean up your documents and maybe I will take another run at
trying to cryptanalyze it.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Improving DES based MAC
Date: Sun, 11 Jun 2000 09:32:44 -0700
Tor Rustad <[EMAIL PROTECTED]> wrote in message
news:uNK05.24290$[EMAIL PROTECTED]...
> "Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
>
>
> A key table is a place inside the TRSM where cleartext keys can be stored,
> this space may be restricted to 800 bytes...
>
> Let say we have a host which uses 100 TRSM, where each TRSM cost $10.000,
> hence a total cost of $1.000.000. In such a case, a performance loss will
> cost significant amount of money.
If TRSMs (Tamper Resistent Security Modules -- I snipped the definition) are
that expensive, it may make economic sense to beef up your 3DES
implementation to the point where you meet your performance goals even
through all your keys can be stored in external storage, and are decrypted
immediately before use, even if you do use 2key 3DES. However, that's your
decision.
However, my original point was that, for most applications, 112 bit keys and
168 bit keys have basicly the same cost. You apparently have an application
for which that isn't true.
>
> > > I did not see the above, nice! So you are stating that the strenght of
> > >
> > > C = k XOR (DESk( k XOR P ))
> > >
> > > is 2^64?
> > To be precise: at most 2^64. I am not claiming that this is the best
> > possible attack...
> >
> What type of improvement can be used?
I suspect the attacker might be able to do something to reduce the work
effort if he had lots on plaintext/ciphertext pairs. Or, someone might be
more clever than me. You must admit, that is an extremely likely
possibility :-)
>
> > > Is that also the case if one of the XOR operations are removed?
> > No. If you remove one of the XORs, it drops to 2^56, as follows
(assuming
> > the first xor is dropped, the second xor is similar):
> >
> > C1 = k2 XOR (DESk( P1 ))
> > C2 = k2 XOR (DESk( P2 ))
> >
> > C1 XOR C2 = DESk( P1 ) XOR DESk( P2 )
> >
> > Iterate through the possible values of k -- there are only 2^56 of them.
> I
> > will be bold enough to claim that this within a constant factor of the
> best
> > possible attack, given that DES is treated as a keyed random permuation.
>
> I can't see that dropping the second XOR is similar...
>
> C = DESk( P XOR k1 )
>
> where k is 56 bit, but k1 is 64 bit. I feel really stupid now.... please
> tell me.
P1 = k1 XOR (DES-1k( C1 ))
P2 = k2 XOR (DES-1k( C2 ))
(where DES-1k is running DES in decryption mode with key k)
P1 XOR P2 = DES-1k( C1 ) XOR DES-1k( C2 )
Exactly the same, except you do trial decryptions rather than trial
encryptions.
--
poncho
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.security.pgp
Subject: Re: Question about recommended keysizes (768 bit RSA)
Date: Sun, 11 Jun 2000 11:08:20 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> Please don't let it end like this, the least you could do is agree to
> disagree. I think that back in 1980 computers were very expensive, but
> not because they were or weren't high end, but because we didn't have
> the industry, competition and market share to keep prices low like they
> are now!
When there are matters of opinion, style, etc., it's often reasonable
to agree to disagree. The problem is that here we're talking about
matters of fact. Bob has stated that there were no $2000 computers
in 1977, and that there were no desktop computers in 1977. We can't
simply "agree to disagree" on this -- it's just plain wrong. In 1977
there were quite a few desktop computers with prices in the same
general range as current desktop computers (e.g. running from
somewhere around $500 up to a few thousand or so).
Likewise, there were even other DEC machines (the PDP-11 series) that
were a LOT closer to single-user machines. Bob has made it clear
that he was aware of the PDP-11 series on his own, and I've posted
about the others often enough that he's clearly aware of them now.
Despite this, he continues to claim that comparing a single-user
machine to something that was clearly intended for dozens of users is
reasoanble.
Prices now aren't low nearly as much due to competition or market
share as they are simply to technology: in 1977, nobody knew how to
build an IC with more than a few thousand transistors on it, and even
at that, yields were relatively low. We've now got 20+ more years of
study in how to build ICs. It's cheaper to build an IC containing 10
million transistors now than it was to build on containing 10
thousand in 1977.
I don't mean to be argumentative, but I think you've got things
almost exactly backwards: market size depends almost entirely upon
being able to build machines that a lot of people can afford, and
still be (or at least appear to be) useful for something consumers
think they want.
Anyhow the crux of the problem comes back to one simple fact: Bob
claims that desktop machines in the $2,000 price range didn't exist
in 1977. We can't simply agree to disagree over this: it's not a
matter of opinion. It's a matter of fact -- it's provable beyond any
shadow of a doubt that these machines DID exist and Bob's statements
to the contrary are nothing more than blatant falsehoods. I can't
simply agree to disagree over something like that.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: CAST sboxes --- scarry
Date: Sun, 11 Jun 2000 11:08:22 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> This is bothering me that nobody knows how to make cast style
> sboxes. The CAST designers don't even have websites, and
> ENTRUST is fairly useless for technical information.
>
> <rant>Couldn't it be possible they 'lied' about their
> construction and nobody ever bothered to check?</rant> i don't
> want to spread rumors or belittle them, but I find it very
> disconcerning that I can't find a single document saying how
> they made those sboxes. In the early 80's they talked about
> making single nxn sboxes but never sboxes that way.
This is yet another instance in which the patent system is shown to
be extremely useful. Look up US patent 5,825,886 and read through
the disclosure. There are a number of related patents as well -- if
you do your looking on the IBM patent server (www.patents.ibm.com),
the first patent will have a link to 6 patents in the same family.
In case it makes life easier for anybody, here's a direct link to
information about the patent:
http://www.patents.ibm.com/details?pn=US05825886__
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
Subject: Re: CAST sboxes --- scarry
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 11 Jun 2000 10:19:26 -0700
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] says...
>> This is bothering me that nobody knows how to make cast style
>> sboxes. The CAST designers don't even have websites, and
>> ENTRUST is fairly useless for technical information.
>>
>> <rant>Couldn't it be possible they 'lied' about their
>> construction and nobody ever bothered to check?</rant> i
don't
>> want to spread rumors or belittle them, but I find it very
>> disconcerning that I can't find a single document saying how
>> they made those sboxes. In the early 80's they talked about
>> making single nxn sboxes but never sboxes that way.
>
>This is yet another instance in which the patent system is
shown to
>be extremely useful. Look up US patent 5,825,886 and read
through
>the disclosure. There are a number of related patents as well -
- if
>you do your looking on the IBM patent server
(www.patents.ibm.com),
>the first patent will have a link to 6 patents in the same
family.
>
>In case it makes life easier for anybody, here's a direct link
to
>information about the patent:
>
>http://www.patents.ibm.com/details?pn=US05825886__
Unfortunately I can't retrieve the white papers for this patent.
Darn.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: CAST sboxes --- scarry
Date: Sun, 11 Jun 2000 11:32:00 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> >http://www.patents.ibm.com/details?pn=US05825886__
>
> Unfortunately I can't retrieve the white papers for this patent.
What do you mean "the white papers"? What you're looking for is the
disclosure of the patent itself -- this is a description of the
method in question, required to be written in sufficient detail to
allow a "person of ordinary skill in the art" (which is to say, YOU)
to implement the technique.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: "Dark Nebular" <[EMAIL PROTECTED]>
Subject: Re: matrix question
Date: Sun, 11 Jun 2000 17:36:12 GMT
how did you compute Mb, the inverse matrix of Ma?
J. DERIVIERE ([EMAIL PROTECTED]) ICQ# :
27913909 -------------------------------------------------------------- The
SPIRITED Homepage http://www.spirited.fr.fm You can subscribe to the
SPIRITED Newsletter by sending a blank e-mail to
[EMAIL PROTECTED] ----------------------------------------
======================
Benjamin Goldberg <[EMAIL PROTECTED]> a écrit dans le message :
[EMAIL PROTECTED]
> I'm trying to test some matrix math things I've written, and I'm
> getting results I don't expect... I don't know if it's my code that's
> wrong, or what I'm expecting that's wrong.
>
> If I have 4 matrices A, B, C, Ma, Mb, each of which is 4x4, and
> Ma is the inverse of Mb, then when I do B = A * Ma, C = B * Mb,
> I find C == A, which is what I expect to get.
>
> However, if A, B, C are 1x4 matrices (Ma and Mb the same 4x4 matrices as
> before), and I do B = A * Ma, C = B * Mb, I find that C does not equal
> A. This seems Wrong. Are my expectations (that A should equal C even
> for non-square A,B,C) wrong, or is my code wrong?
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
