Cryptography-Digest Digest #615, Volume #12 Tue, 5 Sep 00 13:13:00 EDT
Contents:
Re: 4x4 s-boxes (Tim Tyler)
Re: Capability of memorizing passwords (Guy Macon)
Re: A good MAC algorithm? (Mark Wooding)
Re: Elkies extention to Schoof's algorithm (Robert Harley)
Re: RSA Patent. (DJohn37050)
Re: 4x4 s-boxes (Mack)
Re: Serpent S-boxes (again) (Mack)
Re: Serpent S-boxes (again) (Mack)
Re: Steganography vs. Security through Obscurity (Mack)
Re: Is there any free encryption scripts in perl and VBScript (Richard Herring)
Re: RSA Patent. (Jerry Coffin)
Re: blowfish problem ("Douglas A. Gwyn")
Re: Secret Journal ("Douglas A. Gwyn")
yet another primitive polynomial search program ("ScottD")
For those working on the next RSA factoring challenge... ("Ed Suominen")
Re: Secret Journal (S. T. L.)
smaller/simpler Blowfish (Eric Furbish)
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: 4x4 s-boxes
Reply-To: [EMAIL PROTECTED]
Date: Tue, 5 Sep 2000 11:16:37 GMT
Mack <[EMAIL PROTECTED]> wrote:
:>Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
:>: Terry Ritter wrote:
:>:> As far as I know, in modern open cryptography, these concepts
:>:> [maximal nonlinearity and uniform Fourier weights] are the same.
:>
:>: They can't be the same, because the latter defines a bent function
:>: but you guys are claiming that bent functions aren't maximally
:>: nonlinear.
:>
:>Only Tom's claiming that AFAICS. Everyone else appears to be disagreeing.
: I believe tom's claim was that maximally non-linear functions were not
: balanced. As was mine. I could be wrong about tom's claim.
Some bits that Tom wrote on this thread that I disagreed with included:
"bent vectors are balanced" - and his responding to my
"A bent function is one with maximum non-linearity" with "No it's not".
This does not appear to be orthodox usage of the term "bent".
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Capability of memorizing passwords
Date: 05 Sep 2000 11:53:13 GMT
[EMAIL PROTECTED] wrote:
>
>One interesting anecdote about dictionary attacks: I once had an
>account on a distribted unix system that was limited to traditional
>crypt(3) password hashes. In order to "improve" security, they
>dissallowed passwords:
>
>1. With six or fewer characters.
>2. With only alphanumeric characters.
>3. Comprised of two words joined by puncutaion.
>4. Without letters of both cases.
>5. etc
>
>The bottom line was that the vast majority of passwords were all of
>similar form, such as a capitalized word ending in a digit and
>punctuated. If you eliminated control characters (because, hey it was
>a distributed system and they messed up alot of terminals, not to
>mention communications programs) and the list of restrictions, I
>believe they managed to eliminate somewhere between 30-40% of the
>entire keyspace. (The exact restrictions, and figures have faded from
>memory over the years). The morals of the story are:
>
>1. Users can be forced into picking easily guessed passwords/phrases
>by over screening.
>
>2. It's possible for overly aggressive restrictions to severly reduce
>the amount of guessing needed, which hurts rather than helps.
One of my recent employers forced everyone to use three different
passwords for logon to the network, logon to the Internet, and
dial up access to the network. They assigned the passwords for
us, giving us passwords such as bp94qnwt, zw82ngfp, and mk21lzus.
They also set the server to lock you out if you typed in the wrong
password three times in one day.
The result was the easiest to crack network security that I have
ever seen. Every single computer had the three passwords on a
post-it note on the monitor.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: A good MAC algorithm?
Date: 5 Sep 2000 12:14:33 GMT
D. J. Bernstein <[EMAIL PROTECTED]> wrote:
> If you immediately start communicating again with a new key, I'll simply
> start attacking that key, and I'll succeed just as quickly as I would
> have if you hadn't switched.
Give or take an enormous constant factor. If the restart is completely
automatic, there'll be at least an extra overhead of a key negotiation,
which is nontrivial even if you have hardware acceleration. If you have
to wait for a human to click in an annoying dialogue box and then do
some more clicking to re-establish then that'll take even longer.
(Unless the human has a clue failure, gives up on the crypto and sends
everything in the clear instead, of course.)
-- [mdw]
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Elkies extention to Schoof's algorithm
Date: 05 Sep 2000 14:30:59 +0200
I wrote:
> [EMAIL PROTECTED] writes:
> > The well-known Elkies extention to Schoof's point counting algorithm
> > for eliptic curves defined over GF(p) supplies candidates for certain
> > values of #E mod q, a small prime. How can this information be best
> > used [...]
>
> You should probably do a search for "Chinese and match" as that is the
> method used by Joux & Lercier for counting points over GF(2^1663) in 1998:
> [...]
Here is one of Reynald Lercier's Web pages with a link to a paper about it:
http://www.medicis.polytechnique.fr/~lercier/francais/sea.html
Bye,
Rob.
.-. .-.
/ \ .-. .-. / \
/ \ / \ .-. _ .-. / \ / \
/ \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ / \
\ / `-' `-' \ /
`-' [EMAIL PROTECTED] `-'
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 05 Sep 2000 13:20:30 GMT
Subject: Re: RSA Patent.
P. 2 of the Doc thsy Roger mentions says anyone can use the term "RSA
algorithm" but "RSA" should not be used in a way that MIGHT be confused with a
product of RSA Security.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 4x4 s-boxes
Date: 05 Sep 2000 13:25:47 GMT
>Mack <[EMAIL PROTECTED]> wrote:
>:>Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>:>: Terry Ritter wrote:
>
>:>:> As far as I know, in modern open cryptography, these concepts
>:>:> [maximal nonlinearity and uniform Fourier weights] are the same.
>:>
>:>: They can't be the same, because the latter defines a bent function
>:>: but you guys are claiming that bent functions aren't maximally
>:>: nonlinear.
>:>
>:>Only Tom's claiming that AFAICS. Everyone else appears to be disagreeing.
>
>: I believe tom's claim was that maximally non-linear functions were not
>: balanced. As was mine. I could be wrong about tom's claim.
>
>Some bits that Tom wrote on this thread that I disagreed with included:
>"bent vectors are balanced" - and his responding to my
>"A bent function is one with maximum non-linearity" with "No it's not".
>
>This does not appear to be orthodox usage of the term "bent".
Sorry wrong attribution. That is what I get for posting after midnight.
Lost my thread of thought. No it is not the orthodox usage.
>--
>__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
>
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Serpent S-boxes (again)
Date: 05 Sep 2000 13:31:07 GMT
>
>
>Mack wrote:
>>
>
>> I totally agree with you. But the problem with
>> documentation is that what is perfectly clear to
>> the writer is often totally opaque to the reader.
>
>That's why elsewhere certain important documents are
>proof-read also by persons not knowledgeable in the
>field in order to assure understandability be the
>users. I know one case in which a firm offered a
>small reward to every error/defect that its employees
>could detect in certain documents destined for the
>customers.
>
>A question of general nature is: What do the honorable
>peer reviewers of documents do at places where these
>are incomplete? (Closing eyes and let go?)
>
>But the problem with ciphers like AES can be simply
>stated and hence should be similarly simply solvable?
>The request to be given to the authors can be like
>this: Scan through the document for ALL numerical
>values and show how EACH is obtained, providing
>sufficient informations such that anyone can verify,
>if he chooses to do so. Anyway, as long as a cipher
>contains 'magic' constants that I have potentially
>no way to reproduce myself, I wouldn't take the risk
>to use it.
I think that the basic solution is part of the review
process. If something is not absolutely clear
then additional documents should be created explaining
any potential trouble spots.
>
>M. K. Shen
>---------------------------
>http://home.t-online.de/home/mok-kong.shen
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Serpent S-boxes (again)
Date: 05 Sep 2000 13:37:30 GMT
>
>I guess I'm confused again. Page 4 of the paper
>introducing Serpent-1 (the AES candidate) explains
>exactly their criteria, justification, and algorithm for
>generating the S-boxes.
>
>It is a pity that they goofed, and one of the
>sboxes is only of order 2 and not 3, but it
>appears to have been an honest mistake.
All of the s-boxes have at least three equations of
order 3. Some have one equation of order 2. I
believe that their intent was to allow such s-boxes.
ie. the maximum order is 3.
This produces s-boxes whose equations do not
fall into one 'orbit'. There are only two orbits of
equations with non-linearity 4. Those of order 2
and those of order 3.
>
>I guess this could be considered an example of
>"proof by assertion", but, has anyone actually
>checked the stated algorithm to see if it does
>produce the chosen s-boxes?
>
I have verified that all of the s-boxes meet the
criteria as I understand them. I have not verfied
that the algorithm they describe actually produces
those s-boxes however.
>Greg.
>--
>Greg Rose INTERNET: [EMAIL PROTECTED]
>QUALCOMM Australia VOICE: +61-2-9181 4851 FAX: +61-2-9181 5470
>Suite 410, Birkenhead Point http://people.qualcomm.com/ggr/
>Drummoyne NSW 2047 B5 DF 66 95 89 68 1F C8 EF 29 FA 27 F2 2A 94 8F
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Steganography vs. Security through Obscurity
Date: 05 Sep 2000 13:48:00 GMT
>Mok-Kong Shen wrote:
>>
>>Guy Macon wrote:
>>
>>> Point a camera at the PC and record the keystrokes.
>>> Police do this sort of thing all of the time.
>>
>>That applies the same for accessing a web page as
>>for accessing a newsgroup, I suppose.
>
>Your are confusing the detection of who sent a message with
>the detection of who recieved it again. Newsgroups are for
>hiding who recieved it. I mentioned the the camera in the
>context of hiding who sent it. The police can trace it back
>to the Internet Cafe, Library, etc, which right away gives
>them the city you are in. After that, the camera catches you
>sending a future message. Not very secure at all.
>
>>> I am not talking about "zeroknowledge or whatever".
>>> I am talking about the system described at
>>> http://www.zeroknowledge.com/
>>> which most assuredly does not leave such a trace.
>>
>>I don't know what that 'system' does.
>
>Then go to http://www.zeroknowledge.com/ and find out!
>Either that or don't post on the subject. This is a sct.*
>newsgroup. We are supposed to be presenting informed
>opinions. Posting about something without spending five
>minutes following the URL is what they do in talk.*...
>
>> But, if anything electrical in connection with that
>> system goes out from a cable from, for example, you
>> home, that can be monitored and registered, I believe.
>
>First, they don't know which of the many Zeroknowledge
>users sent it. Even Zeroknowledge doesn't know that.
>Second, even if they do know, waht goes out of your
>home in encrypted. A Assure you that Zeroknowledge
>is way more secure than your "post from an Internet
>Cafe" idea.
>
>
With the admission of the existence of dedicated IP tapping
software, it is very hard to see any way that you can avoid
traffic analysis. Specifically since every IP connection by
nessessity contains the senders address. A single posting
is still safe however as there is no 'traffic pattern'
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Richard Herring)
Subject: Re: Is there any free encryption scripts in perl and VBScript
Date: 5 Sep 2000 13:48:22 GMT
Reply-To: [EMAIL PROTECTED]
In article <8ov4j2$hvb$[EMAIL PROTECTED]>, Paul Rubin ([EMAIL PROTECTED]) wrote:
> In article <[EMAIL PROTECTED]>,
> <[EMAIL PROTECTED]> wrote:
> >Can someone here tell if there are any free scripts with an algorithm
> >for encryption (like pgp or something else with private and public
> >keys) which has been implemented in both perlscript and VBScript ???
> There are several public-key implementations in perl. I've never
> heard of "perlscript".
It's just plain old perl, packaged so it can be invoked directly
as a scripting language from within an application.
--
Richard Herring | <[EMAIL PROTECTED]>
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: RSA Patent.
Date: Tue, 5 Sep 2000 08:26:23 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]=NOSPAM
says...
[ ... ]
> Considering all the fuss about Senderek´s discovery of a big bug
> in PGP´s new format (brought on by the new Diffie-Hellman keys),
> they might regard it also as a little vindication ;-) RSA rules!
Any relationship between the new format and Diffie-Hellman key
exchange is _purely_ coincidental. Claiming that this bug
demonstrates some superiority for RSA is simply ridiculous. It would
be just as accurate to claim that since the flawed product includes
both DH and RSA, that the only really good form of PK encryption uses
elliptical curves.
None of these contains anything that even hints at the truth, which
is that (as I'd consider typical) the security problem in question
had absolutely NOTHING to do with shortcomings in the encryption
algorithms themselves at all.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
Crossposted-To: comp.lang.c
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: blowfish problem
Date: Tue, 5 Sep 2000 14:05:55 GMT
"Trevor L. Jackson, III" wrote:
> "Douglas A. Gwyn" wrote:
> > "Trevor L. Jackson, III" wrote:
> > > "Douglas A. Gwyn" wrote:
> > > > On the PDP-11, operations with signed char tended to be faster
> > > > than with unsigned char, due to properties of the instruction set.
> > > Interesting. Must have been the versions before my time. I recall
> > > nothing special about signed chars on -35, -60, -70, and the LSI-11
> > > subfamily.
> > The PDP-11 instruction set included operations on "bytes"
> > (8-bit addressable units on the PDP-11) and "words".
> > Registers were always full words. The byte operations
> > would automatically sign-extend; thus if signed chars
> > were wanted the right thing occurred, but if unsigned
> > chars were wanted the sign-extension had to be masked
> > off, which made for slower code.
> Right. Promotions to wider types require a mask. It sounded like you were
> claiming that all operations on unsigned chars were slower in hardware
> than those on signed chars.
Certainly, arithmetic operations, etc. were slower
for unsigned char due to having to post-mask.
> Since the implicit promotions to int can be optimized away when the target
> is any kind of char, this difference should be undetectable for most
> programs.
I'm talking about how the machine actually functioned
when supporting type "unsigned char", not about C's
promotion rules.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Secret Journal
Date: Tue, 5 Sep 2000 14:11:41 GMT
Melinda Harris wrote:
> Has any cyrptographers hackers or computer programers reviewed and anaylized
> the Secret Journal disclosure? I need all the response I can get regarding
> this unprecedented virus.
My response is "You should tell us what you are talking about."
------------------------------
From: "ScottD" <[EMAIL PROTECTED]>
Subject: yet another primitive polynomial search program
Date: Tue, 5 Sep 2000 10:36:29 -0500
This one requires a Pentium III and Windows, and is optimized for speed.
http://sduplichan.home.att.net/primitive/primitivePolynomials.htm
------------------------------
From: "Ed Suominen" <[EMAIL PROTECTED]>
Subject: For those working on the next RSA factoring challenge...
Date: Tue, 5 Sep 2000 08:42:53 -0700
For those working on the next RSA factoring challenge...
"Cray supercomputer for sale on eBay"
Article at http://www.theregister.co.uk/content/1/13034.html
"The sellers describe it as an extremely reliable workhorse for R&D
computing. Mario, a black and gold beauty, contains '16 vector
processors, each capable of 1 GFLOP performance, main memory
amounting to 512 MegaWords (4GB), and a 512MW (4GB)
Solid-state Storage Device (SSD) serving as an extension to
memory. He comes with raid controllers and disks providing over
130GB of high-speed disk storage.'"
But wouldn't a network of about 10-20 PIII-1000 MHz PC's do just as well,
for a fraction of the cost?
--
Ed Suominen
Registered Patent Agent
Web Site: http://eepatents.com
PGP Public Key: http://eepatents.com/key
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: [EMAIL PROTECTED] (S. T. L.)
Date: 05 Sep 2000 16:04:34 GMT
Subject: Re: Secret Journal
/*My response is "You should tell us what you are talking about."*/
Actually, I believe that the correct response is: "The eagle flies at midnight
purple monkey dishwasher".
-*---*-------
S.T.L. My Quotes Page * http://quote.cjb.net * leads to my NEW site.
My upgraded Book Reviews Page: * http://sciencebook.cjb.net *
Optimized pngcrush executable now on my Download page!
Long live pngcrush! :->
------------------------------
From: Eric Furbish <[EMAIL PROTECTED]>
Subject: smaller/simpler Blowfish
Date: Tue, 5 Sep 2000 11:34:34 -0500
Hello. I'm looking to implement a version of blowfish on an IC with a
fairly limited number of transistors (college project). I was wondering
if anyone could provide a link to a properly scaled-down version of
blowfish that won't have so much space overhead, such as smaller S-boxes,
etc. I'm not looking for something that's extremely secure, just
something reasonably small that works.
Thanks,
Eric
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
