Cryptography-Digest Digest #468, Volume #12 Thu, 17 Aug 00 14:13:01 EDT
Contents:
Re: Impossible Differentials of TC5 (David Empey)
Re: New quantum computer - any details? (Sander Vesik)
Re: OTP using BBS generator? (Terry Ritter)
Re: OT (Proposal of drafting rules of conduct of posting) ("Paul Pires")
Re: OT (Proposal of drafting rules of conduct of posting) (Mok-Kong Shen)
Re: Just Curious. Are girls/women interested (Sander Vesik)
Directions (Adriano Prado)
Re: OTP using BBS generator? (Mok-Kong Shen)
DES: Say it or spell it? (Newbie question) (William Rowden)
Re: DES: Say it or spell it? (Newbie question) (DJohn37050)
Re: 215 Hz five-qubit quantum processor (Steve Newman)
Re: OT (Proposal of drafting rules of conduct of posting) ("Paul Pires")
Re: My first serious (kinda) paper. (Ichinin)
Re: Is this Diffie-Hellman modification safe? (David P Jablon)
----------------------------------------------------------------------------
From: David Empey <[EMAIL PROTECTED]>
Subject: Re: Impossible Differentials of TC5
Date: Thu, 17 Aug 2000 16:00:43 GMT
In article <8nepc2$g75$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Tom,
>
> A simple key recovery attack exists. If the F function operates on
the
> left half, the four round impossible differential is
>
> 0 d probabilty of 1
> d 0 e != 0 since the F function is bijective, p = 1
> e d f != d since f = (F(e) ^ d) and F(e) != 0, p = 1
> f e
>
> g f ciphertext, g = F(f) ^ e
>
> All the above are diffentials of course.
>
> What we know
>
> e != 0
> f = f1 ^ f2, where f1 and f2 are known
> g = F(f1^k) ^ F(f2^k) ^ e, where k is the secret key.
Do you mean k is the round key for round 4? In that case, k
is 1024 bits long.
> F() is a bijective 64-bit function
>
> Now if we assume e = 0, we can calculate possible values for the key,
k.
> In a brute force manner, we loop through all possible values of k' and
If k' is supposed to be the 4th round subkey, then this will take up
2^1024 time. I don't think that is very practical.
> check
>
> (1) F(f1^k') ^ F(f2^k') = g.
>
> Any value of k' that satifies (1) cannot be the actual key, k. If k =
> k' then e = 0. Since e != 0, we have created a contradiction.
>
--
Cordially,
Dave Empey
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: New quantum computer - any details?
Date: 17 Aug 2000 16:12:05 GMT
Gordon Walker <[EMAIL PROTECTED]> wrote:
> On 16 Aug 2000 16:23:54 GMT, Sander Vesik <[EMAIL PROTECTED]>
> wrote:
>>How long is 'realistical length' and what constitutes a practical
>>quantum computer? A qc that can crack say 512 bit RSA in say 4 weeks
>>is practical, but not overly threatening for 16/32 kbit keys that are
>>still realistically long.
>>
>>Even if you speed it up 4 times, longer keys are still realistic. Beyond
>>that, we need something else than RSA.
> But by my limited understanding, a quantum computer can bring down the
> order of complexity of the factoring problem. Previously adding one or
> two bits to the key required a vast increase in processing power to
> break it. With an improved O() value for the solving machines you have
> the situation where the cracking machines are chasing keylength much
> more quickly and that just a few years research might allow the
> hardware to catch up with the keylength you have chosen.
But what I wrote assumes that it take linear O(n) time above 512 bits -
32kbits is 64 times 512 bits, and breaking that key would take 256
weeks or silghtly over 4 years. It is unlikely that somebody would dedicate
4 years to finding out most secrets.
With linear scaling from 512 bit key and a 32kbit RSA key:
512bit key time 32kbit key time
4 weeks 256 weeks (4+ years)
2 weeks 128 weeks
1 week 64 weeks
1 day 64 days=2 months
1 minute 2 hours
This applies mostly to technology scaling - i doubt that there is an algorithm
that can compute 32kbit keys on 512 bit qc-s in linear time.
If quantum computers above 512 bit range double their size in a year, it will
take 64 years to get there. 32kbit rsa keys are probably secure in 10 years -
but just beacuse if we keep doubling quantum computer bits yearly, we will
reach ~ 2K bits in 2010 8-)
Even quardupling bits yearly won't threaten them (then again, 32kbit keys are
slow).
> --
> Gordon Walker
--
Sander
FLW: "I can banish that demon"
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 17 Aug 2000 16:15:31 GMT
On 17 Aug 2000 11:25:29 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>[...]
>If cycles
>are short enough to traverse, then you can predict the generator's
>output very easily. Since the generator is unpredictable, such cycles,
>if they exist, must be very difficult to find.
Here, "unpredictable" is apparently mathematical exaggeration for
effect: for, if the use of short cycles is *not* prohibited, a short
cycle *might* be chosen, in which case the generator output would be
predictable (as stated).
So, when short cycles are *not* prohibited, what we have really is
"almost always unpredictable." We don't get to "unpredictable" until
we eliminate the use of short cycles.
Thus, if we want the comfort of "unpredictable" instead of "almost
always unpredictable," we need to additionally avoid short cycles.
The above also tracks the strength argument, where even if we have no
global guarantee of strength, we certainly cannot claim strength
beyond the weakest possible configuration we support. To allow short
cycles is to let them be our minimum guaranteed strength.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: OT (Proposal of drafting rules of conduct of posting)
Date: Thu, 17 Aug 2000 09:40:45 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Paul Pires wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote
>
> > > I have the impression that there is some misunderstanding.
> > > I explained already that the proposed paper is not and cannot
> > > be a 'ban'. It's intended to be an expression of what the
> > > majority hopes to be a desirable state (if the majority
> > > could agree on something at all). Anyway, I don't think that
> > > your last sentence could be widely generalized. For it would
> > > ultimately mean that we wouldn't need guildlines of any kind
> > > in society, which I am afraid wouldn't well function, at
> > > least in the world in which we are currently living.
> >
> > This is a cultural mindset, not self evident fact.
> >
> > We don't need guidleines of any kind in society.
>
> Does that mean in the western (or whichever you mean)
> cultural mindset laws and the like are entirely redundant?
Fencing. Of course it doesn't. They serve a purpose in the fair delivery of
justice. If you wan't to set me up to make a completely stupid statement,
put a little more work into it.
>
> > Just because you observe what you percieve to be a cause and then an
effect
> > doesn't mean that they are related. This can be coincidence. There are
rules
> > and to a certain extent there is civilized behavior which paralells
these
> > rules (or at least once did). This is also a coincidence. The rules came
> > about codifying the behavior of folks living up to a certain standard,
an
> > ethic. The behavior and the civilization was there before the rules. The
> > rules are there as a warning from the civilized "Here is the line, cross
it
> > at your peril" When civilized behavior is at risk of extinction, it is
from
> > a lack of civilized people. Rules will not stem the tide and can even
hasten
> > the fall.
>
> So rules are of no value/use and should be disposed off.
> Is that right?
Thats your proposition, you snipped off mine.
I think I stated clearly that, IMHO, rules are not relevent to the problem
or solution.
Do you have a counter position, opinion or what-not or are you just going to
ask leading questions? I argue with myself all the time and I don't need to
burn bandwidth to do it.
Paul
>
> M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OT (Proposal of drafting rules of conduct of posting)
Date: Thu, 17 Aug 2000 19:17:23 +0200
Paul Pires wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote
> > Paul Pires wrote:
> > >
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote
> >
> > > > I have the impression that there is some misunderstanding.
> > > > I explained already that the proposed paper is not and cannot
> > > > be a 'ban'. It's intended to be an expression of what the
> > > > majority hopes to be a desirable state (if the majority
> > > > could agree on something at all). Anyway, I don't think that
> > > > your last sentence could be widely generalized. For it would
> > > > ultimately mean that we wouldn't need guildlines of any kind
> > > > in society, which I am afraid wouldn't well function, at
> > > > least in the world in which we are currently living.
> > >
> > > This is a cultural mindset, not self evident fact.
> > >
> > > We don't need guidleines of any kind in society.
> >
> > Does that mean in the western (or whichever you mean)
> > cultural mindset laws and the like are entirely redundant?
>
> Fencing. Of course it doesn't. They serve a purpose in the fair delivery of
> justice. If you wan't to set me up to make a completely stupid statement,
> put a little more work into it.
>
> >
> > > Just because you observe what you percieve to be a cause and then an
> effect
> > > doesn't mean that they are related. This can be coincidence. There are
> rules
> > > and to a certain extent there is civilized behavior which paralells
> these
> > > rules (or at least once did). This is also a coincidence. The rules came
> > > about codifying the behavior of folks living up to a certain standard,
> an
> > > ethic. The behavior and the civilization was there before the rules. The
> > > rules are there as a warning from the civilized "Here is the line, cross
> it
> > > at your peril" When civilized behavior is at risk of extinction, it is
> from
> > > a lack of civilized people. Rules will not stem the tide and can even
> hasten
> > > the fall.
> >
> > So rules are of no value/use and should be disposed off.
> > Is that right?
>
> Thats your proposition, you snipped off mine.
>
> I think I stated clearly that, IMHO, rules are not relevent to the problem
> or solution.
>
> Do you have a counter position, opinion or what-not or are you just going to
> ask leading questions? I argue with myself all the time and I don't need to
> burn bandwidth to do it.
It was my opinion that you were extending the scope of
the argumentation, thus leading to view points regarding
cultural mindsets etc. My proposal was more practical
oriented and (very) limited to the issue here, being
motivated by complains about rude sytle and that of
tomstd. Thus considerations on philosophical levels
are not called for in my humble view It was aimed as
some amelioration that should be realizable without
to much difficult and is further in no sense meant to
be a cure-all.
M. K. Shen
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: Just Curious. Are girls/women interested
Date: 17 Aug 2000 17:07:56 GMT
Paul Pires <[EMAIL PROTECTED]> wrote:
[snip]
> Just out of curiosity, I asked a notable female in the sucurity industry.
> The answer I got was her observation that most of the postings to sci.crypt
> appear to have more to do with penis measurement & relative ranking than in
> intellectual discourse.
> She doesn't percieve sci.crypt to be about cryptography at all but some
> obscure male bonding rite.
> Don't know how she got that idea.
At a guess - by following the group and taking a look at what an average
post consitutes.
> I won't ask again...
> Paul
--
Sander,
not that this post won't most probably judged differently
FLW: "I can banish that demon"
------------------------------
From: Adriano Prado <[EMAIL PROTECTED]>
Subject: Directions
Date: Thu, 17 Aug 2000 17:05:38 GMT
Hi all,
I'm reading some papers and some books about cryptography, but I think
I'll least some months before I become familiar to this subject.
So, I'd like a direction in my study so I can follow the right path.
I wanna make a simple algorithm that computes a password to a specific
machine. This machine communicates with a computer via RS-232... but
it's not important. What matters here is that each machine has an
unique serial number that can be retrieved by a computer.
What I want to do is to send a password (a key) to this machine so it
could unlock itself. So, the machine would get the password and the
serial number and see if it is right.
May I assume that my system is as Unix treats its passwords? That is,
can I use the same algorithm used to encrypt Unix passwd, as I have an
Id (s/n) and a password?
Thanks
Adriano Prado
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Thu, 17 Aug 2000 19:35:59 +0200
Mark Wooding wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > Sorry, doesn't this result of Vazirani and Vazirani conflict with the
> > sentence 'There is no proven reduction in the other direction' above,
> > or have I understood your text entirely in the wrong manner? Could you
> > please say a bit more?
>
> You've misunderstood.
>
> We have QRP <=_P IFP, but we *don't* have IFP <=_P QRP. The BBS paper
> shows QRP <=_P BBS. The V&V paper shows IFP <=_P BBS, which doesn't
> contradict the previous statements: we have QRP <=_P IFP <=_P BBS.
>
> If someone had shown that BBS <=_P QRP then that would have been
> interesting.
Excuse me. Could you please explain your notation '<=_P'
and IFP?
>
> > I hope that this efficient choice does not result in severe
> > reduction of the space of N.
>
> No. It offers a *much* larger space of N than any other method I know
> of for obtaining guaranteed cycle bounds, including the `special' primes
> which Ritter likes so much. Indeed, it's the increase of the space for
> N which makes the method efficient.
>
> I'll try to get an implementation of my method and offer a few examples
> of numbers chosen using my method.
Sorry, I like to repeat a question, for I doubt that I
have fully understood the issue. If the main theorem
does not involve cycle length and has firmly established
the security issue, why does one (in particular BBS)
has to bother to consider subsequently the cycle length
question at all?
A remark in this connection is that, as I argued in
connection with an issue of OTP, one should in practice
conservatively apply tests to all bit sequence generated
or at least have sufficient amount of experimental
results on the generation process (for the size of
parameters used) to gain some confidence (belief),
noting that BBS is a PRNG and is not comparable to
an adeal OTP in theory, as Scott Nelson stressed.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (William Rowden)
Subject: DES: Say it or spell it? (Newbie question)
Date: 17 Aug 2000 17:24:08 GMT
Here's a newbie question. Some of you may remember the thread on
pronunciation of various ciphers (e.g., Vigenere) that drifted, as
most topics do, to other words. Now I have a poll: DES--do you say
it, or spell it? That is, do you refer to /dez/ or /dee ee ess/?
In a recent conversation with an acquaintance, a new technician at a
NOC, I heard him say that some of the NOC's links used DES encryption.
I realized that, since my instructors are books and online sources, I
had never heard DES said aloud by someone else. Of course, I noticed
because I was surprised to hear that he referred to it differently
than I do. I've only mentioned DES to friends in whom I am trying to
pique an interest in cryptography. Perhaps I need some face time with
amateur cryptographers!
--
-William
PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2001-02-01
Fingerprint: B6E5 9732 3464 97C8 2B70 A031 6BF6 9E5C 16B5 C400
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: DES: Say it or spell it? (Newbie question)
Date: 17 Aug 2000 17:43:36 GMT
DES is usually pronounced dezz. Sometimes spelled out. Note that DES refers
ONLY to the FIPS 46-3 algorithm. DEA refers to the ANSI version. BNut many do
not make this distinction.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Steve Newman)
Crossposted-To: comp.arch
Subject: Re: 215 Hz five-qubit quantum processor
Date: Thu, 17 Aug 2000 17:46:12 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> >> Could this algorithm be implemented in a (sufficiently advanced)
> >> quantum computer? Presumably the length of the theorem would be
> >> bounded by some value proportional (at best) to the number of bits
> >> supported by the computer. Still, this would be a heck of a thing
> >> if it worked.
>
> Actually, it's the length of the _proof_ that would be bounded by the
> number of qbits supported by the computer.
Oops, of course. That's what I meant to say. Thanks for catching
the mistake.
-- Steve Newman
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: OT (Proposal of drafting rules of conduct of posting)
Date: Thu, 17 Aug 2000 11:02:44 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
<Snip Pauls poorly snipped postings>
> It was my opinion that you were extending the scope of
> the argumentation, thus leading to view points regarding
> cultural mindsets etc.
Too bad you didn't say that. Note the OT label I put on it.
>My proposal was more practical
> oriented and (very) limited to the issue here, being
> motivated by complains about rude sytle and that of
> tomstd.
I didn't complain about Toms style, I objected to it directly and called him
on it. The process was working.
>Thus considerations on philosophical levels
> are not called for in my humble view It was aimed as
> some amelioration that should be realizable without
> to much difficult and is further in no sense meant to
> be a cure-all.
Can't you take off your moderators hat and participate in a discussion as
just one of the guys? I have this view of you diligently taking notes,
carefully weighting one point against another and discarding those that
don't follow the original intent so as to deliver the "consensus" when the
thread peters out. If you want to confine a thread to Tom's behavior, spell
it out! Personally, I feel much more confortable with a cheerfull, loose
warhead like Tom than with this carefull dancing.
As it turns out, oh polite resident, this is dead on topic.
I gave my veiwpoint. I thought it was relevant. I clearly labled it as an
opinion. Sorry to disappoint you. What do you want, that I acknowledge it as
silly and retract it? If so, go pound sand. If not, my apologies for the
rude and direct language.
Paul
>
> M. K. Shen
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: My first serious (kinda) paper.
Date: Thu, 17 Aug 2000 09:01:44 +0200
Thanks a bunch Mr Tom and Mr David.
Guess i have to go back to do some more studying,
just a question, any thoughts on the following line?
subkey[x] = rotl(subkey[x], prng()) * stuff;
(the PRNG (should) provide you with a non linear
value and would make the rotations more chaotic.
That was... (IMHO) the Neatest idea, but noone
mentioned it :o)
Thanks again,
Glenn
------------------------------
From: [EMAIL PROTECTED] (David P Jablon)
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Thu, 17 Aug 2000 18:07:10 GMT
Garth,
Your method is roughly the same as DH-EKE.
For lots of links to this and other research on strong password
protocols, visit <www.integritysciences.com/links.html>.
In article <WVWl5.17337$[EMAIL PROTECTED]>,
George Harth <[EMAIL PROTECTED]> wrote:
>Hi Tom,
>
>> >1. Alice sends Bob her username and requests a connection. No
>> password is
>> >sent at this stage.
>>
>> First weakness, the attacker now knows who is logining in to the
>> computer.
>
>I see your point, but does this really matter if you know who uses the
>system anyway?
>
>> >2. Bob computes and sends Alice X, where:
>> > X = (power(g, x) mod n) xor h
>> >
>> >3. Alice computes and sends Bob Y, where:
>> > Y = (power(g, y) mod n) xor h
>>
>> I assume the password is known only by the server and the
>> client? Then why even use pk crypto?
>
>Yes. The password is stored in a file on the server side, and entered at
>runtime by the user of the client. No passwords or keys are stored on the
>client device (handhelds easily lost or stolen).
>
>> >4. Bob computes and uses Z1 as his Blowfish key:
>> > Z1 = (power((Y xor h, x) mod n)
>>
>> You should really hash the bignum instead of truncating it.
>
>I'm sorry. I don't completely follow. The mod operation is part of the
>original Diffie-Hellman algorithm. Is that the operation you are referring
>to?
>
>> You make it harder then it needs to be. If the server and
>> client have a shared secret password simply do this
>>
>> 1. Make up a 128-bit string R
>> 2. Use K = hash(R || h) as your shared symmetric key.
>> 3. Transmit R to the server (or to the client as the case may
>> be).
>>
>> This requires no pk math and is considerably simpler.
This protocol is fine for two machines, but poor for human users
who cannot memorize a 128-bit password.
>It certainly is simpler, but how does the server know which user is
>attempting to logon without checking all user passwords until it finds a
>match (assuming I don't send the username as you suggested I shouldn't do
>above)? Every user has a different password and it is important for the
>server to know whom it is speaking with.
>
>> Also you may consider EKE type systems if you need passwords,
>> but really with a password you are wasting your time. The whole
>> point of PK is that I don't need to share a secret with you,
>> that's the point.
The whole point of EKE style systems is that if you're authenticating
humans, then you're wasting your time if your methods, whether symmetric
or PK-based, require people to perform acts that they cannot or will not do.
People can't handle large keys, so they often need systems like EKE to give
them a boost to be able to use strong cryptography.
>Thanks. It looks like I have more research to do.
Feel free to start at my site and explore from there.
======================================================
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
